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[57] ABSTRACT 

^A-method'ancl:sy^tem~fdr:cntering:numericd:infonnati^^^ 
a manner that^pan^be easily used by visually impaired 
individuals ^are disclosed. Using a touch screen display, for 
each digit of aVmultidigit number a first location on the 
screen is touch^ed a number of times equal to the digit 
followed by toifching a second location. C^ce all the digits 
have been entered, a third location is touched. This method 
allows for dividing the touch screen display into a small 
number of large! area touch active regions, such as quadrants, 
. thus reducing the accuracy required to enter a value since the 
large area cjipirMits are easily referenced to the screen 
boundaries. Further, audible cues arc used to prompt the user 
as3veU:as:provide:feedbacl^ 

23 Claims, 7 Drawing Sheets 
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VISUALLY IMPAIRED CUSTOMER 
ACTIVATED TERMINAL METHOD AND 
SYSTEM 



BACKGROUND OF THE INVENTION 

The present invention relates generally to electronic 
financial transactions and, more particulariy, to a financial 
transaction method and system for visually impaired, blind, lo 
and learning disabled individuals. 

Customer activated terminals (CATs), or automatic teller 
machines (ATMs), have become a well established and 
convenient means for performing typical banking transac- 
tions such as deposits, cash withdrawals, and balance moni- 15 
toring, thus reducing the need for personal teller interaction 
and concomitantly reducing waiting time for both common 
transactions performed by the CAT and transactions requir- 
ing a personal teller. These automated teDers offer 24 hour 
accessibility and still offer privacy and security, as well as 20 
customer service via a telephone which is usually located 
adjacent to the ATM. 

Although a vast majority of individuals enjoy the conve- 
nience and flexibility associated with ATMs, many indi- 
vidual are limited from sharing these attributes due to visual ^ 
impairment, blindness, or illiteracy disabilities. 

There have been many efforts to enable disabled indi- 
viduals to enjoy the freedom, equal access, and same oppor- 
tunities that are available to non-disabled individuals both 
within the banking environment and in other aspects of daily 
life. Highlighting and abetting these efforts, are laws which 
mandate changes to improve access and also serve as 
guidelines for implementing the required changes. 

In the banking environment several changes have been 
made to assist individuals with disabilities. For instance, 
banking centers employing phones allow individuals to 
perform nearly all banking using a touch-tone phone, elimi- 
nating the need for visual prompts. Hearing impaired indi- 
viduals requiring use of the ATM phone for customer ^ 
assistance are aided by a volume control handset. ATMs also 
have been configured to make them accessible to individuals 
in wheelchairs. 

Despite this progress, further improvements arc still 
needed to allow individuals with disabilities to benefit from 45 
the advances in automated banking services. In particular, 
today* s ATMs present the user with small area buttons which 
are difficult to locate and distinguish for a visually impaired, 
blind, or learning disabled individual. 



SUMMARY OF THE INVENTION 

Accordingly,::an object of 7tlic prcs^" invention is~lo 
pro,^de:^ a^composite7methodlMd -system for -electronic ^ ^ 
transaciions which:can be easily:used:byJ/ isually3impa^ 
blind.:or:lcarning:disabledjndyidua^ 

A related object of the present invention is to provide 
methods and systems which are compatible with existing 
ATMs, thus facilitating fast, efficient implementation and go 
widespread availability of these options to banking custom- 
ers. 

A^furlhMrobj^^f-tlm::prese^^ 
electr onictrans acjon -methods jandsys^^ not 
ov^y:indicaie:ihBlTthe userhas"ahy disabilify 65 
ingithc targejdng or fl^^ which, mighty 

compromi se Uiein dividualVs afetyrsecurity.T or-self-esteem 
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Another^obj ect_of„the_.present Jnvention , is jo, pro vide 
electronic:transactibnHrne^hods„and.systems.-w^ 
relylexclusively^^on^dllaiy^d^^ 
nection Torlcontrdl)!!^" 

Iti furtheiw:e:of :ihese :obje^^ 
transaction methods and -systOTS^^^^^ 
existing "ATMs, and pa^^^ 

touch screen displaj pFor every screen that the customer 
needs ft^^ touch, the touch screen display is divided into 
qua(h:ants,j^each quadrant representing a large "button" 
which jthe user touches to interact with the electronic teller. 
The quadrant size, being rather large, may be located and 
toucheld not only by visually impaired individuals who may 
be able I to discern the large font, high contrast visual cues 
projected onto each quadrant but also, by learning disabled 
and blind individuals who may easily orient themselves to 
the screen (e.g., by locating the screen comers) and thus to 
the "buttons" thereon. In addition, the electronic teller 
prompts or responds to user actions with sotind cues or 
"beeps") in a similar way that current ATMs audibly interact 
with individuals who are not visually impaired. Thus, to one 
situated|away firom the user, the sounds are similar to those 
transmitted during operation in the conventional mode. The 
visually { impaired user may enter the visually impaired 
person (VIP) mode by simply touching or tapping the upper 
right quadrant twice in succession, each tap confirmed by a 
beep and successful transition to the next step confirmed by 
a "good transition" sound. The user then proceeds through a 
series of steps which, in the illustrative embodiment, involve 
cither the withdrawal of cash or the deposit of funds. By 
minimizing the number of steps, using the simple quadrant 
arrangement and screen tapping signalling scheme, as well 
as using ^graphic sjmnbols, large fonts, and high contrast 
screens, a JS^IP mode user may easily communicate with the 
electronic ^teller and therefore enjoy the same benefits of 
ATMsraSlanyroth^individual. 

BRIEF DESCRIPTION OF THE DRAWINGS 

The invention will be described in greater detail below by 
way of reference to the accompanying drawings, in which 
like reference characters refer to like parts throughout the 
various views, wherein: 

FIG. 1 is a perspective drawing which illustrates an 
automatic teller machine used in conjunction with the 
present invention; 

FIG. 2 is a functional block diagram of the components 
making up the automatic teller machine used in conjunction 
with the present invention; 

FIGS. 3-6 are operational flow diagrams in accordance 
with the method of the present invention; and 

FIG. 7 illustrates atypical touch screen display screen for 
entering numerical information according to the prior art 
methods. 

DETAILED DESCRIPTION OF THE 
PREFERRED EMBODIMENT 

The present invention is preferably practiced in conjunc- 
tion with an automatic teller machine (ATM) which has a 
touch screen display. FIG. I illustrates an ATM with char- 
acteristic features such as a card reader 10, a deposit 
envelope receiver 11. a cash dispenser 12, a record dispenser 
13, and a touch screen display 14. The ATM illustrated in 
FIG. 1 is a widely used type of known construction. 
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FIG. 2 functionally depicts these components communi- 
cating with a processor 15 which is also connected to a 
central customer information data base 16. Processor 15 
appropriately receives and/or transmits information and con- 
trol signals associated with the progression of a series of 3 
steps involved in performing a transaction. A preferred 
feature of the invention is the use of braille labels 18 
mounted adjacent to, and identifying, each component. 
Another component of the prefeired embodiment, not shown 
in the drawings, generates audible cues in the form of sounds 
of various durations and pitches in response to signals from 
the processor. 

The above components will be discussed below in con- 
nection with the description of the data processing and 
operational steps associated with electronic U^sactions 
perfonned using the ATM. As set forth in the flow charts of 
FIGS. 3-7. rectangular shapes represent the graphic/textual 
screen that is projected onto the touch screen display 14, 
boxes with rounded comers represent a process, and circles 
represent a connector between steps. Whereas these figures 
depia numerous steps which represent the overall process, ^ 
only five basic steps are apparent to the user interface, 
namely: entering the VIP mode, dipping a credit or debit 
card, entering a personal identification number (PIN), select- 
ing a transaction type, and entering a numerical value 
representing the monetary value associated with the selected ^ 
transaction. 

For simplicity in describing the salient aspects of the 
invention, the operational steps will be described using an 
ATM possessing a "dipper'* type card reader 10 which 
allows the user, while maintaining a continuous grip, to 
insert the card into the reader and remove it in one motion 
(i.e., dip). This type of reader differs somewhat from a 
transport type reader which removes the card from the 
customers possession, generally keeping the card for the ^5 
duration of the transaction but is equally applicable to the 
present invention. Implementing the invention with trans- 
port type card readers is within the routine know-how of one 
skilled in the art, and thus is not essential to describing the 
present invention. ^ 

In accordance with the preferred embodiment of the 
present invention, all touch responsive screens presented on 
the touch screen display 14 are divided into four zones or 
quadrants which abut each other with no nonresponsive 
space between them. Except for a small border the four 43 
zones encompass the entire display. Thus, once a customer 
is oriented with respect to the touch screen display 14 (e.g., 
by locating the comers along the edges) it is relatively easy 
to touch the proper "buttons*' represented by the quadrants. 
Of course, certain screens may not require that all four zones 50 
are active. 

As a means of assisting screen orientation, a narrow width 
of the entire display periphery is responsive to touch but is 
not associated with any of the quadrants. Instead, it forms a 
separate border region which in response to touch generates 55 
a ^'normal bo op*' sound, indicating that the user has touched 
an undefined zone. This *'dead zone*' and its associated audio 
cue allow the user to locate the screen boundary without 
unintentionally touching one of the active quadrants. As a 
further aid for the disabled user, graphic and/or textual 60 
information displayed as screens on the touch screen display 
14 are defined by large fonts, high contrast features, and 
simple graphics. Furthermore, a distinct set of sound cues 
provide audible feedback corresponding to: successful 
completion of a step and progression to another step requir- 63 
ing a user action or input (i.e., "good transition" sounds #1, 
#2, #3, and #4); unsuccessful completion of a step (i.e., "bad 
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transition*' sound); and successful transaction session 
completion (i.e., "good bye" sound). 

Referring now to FIG. 3, an initial step 31 involves the 
processor 15 checking the status of all components involved 
in the operation of the ATM including the record dispenser 
13, the card reader 10, the deposit envelope receiver 11, the 
cash dispenser 12, the touch screen display 14, and the 
communications link between the processor and the cus- 
tomer data base 16. A status register in the processor 15 is 
used to store the status bits which are set according to signals 
received from the respective components. If any component 
is not operadonal, then, in step 36, an interrupt h^dling 
sequence occurs and the VIP mode will not be available until 
the condition is corrected. If all components are operational 
(i.e., "up**) then, in step 32, the "HELLO" screen is dis- 
played on the touch screen display 14. 

In step 32, the system waits to receive a predetermined 
number of taps, (e.g., two taps) in the upper right quadrant 
of the touch screen display 14 and if received initiates the 
visually impaired person (VIP) mode of operation. A "nor- 
mal beep" sound occurs for each tap which indicates to the 
user that the VIP mode has been activated and a "good 
u-ansition" sound #1 signals that the next step 33 has been 
entered. Tapping the screen in any location other than the 
upper right quadrant, in step 32, generates a **normaI boop'* 
sound, indicating contact with an invalid zone; the 
"HELLO" screen remains active until either the VIP mode 
or the conventional mode is entered. The conventional mode 
is initiated by dipping a card into the card reader without first 
tapping the upper right quadrant twice. Having entered the 
VIP mode in step 32, the routines of step 33 are initiated. A 
"DIP CARD** display prompts the user to dip a bank card 
into the card reader 10. Step 34, which is associated with the 
display of step 33, invokes procedures for monitoring the 
bank card dipping sequence. 

FIG. 6 illustrates the process and flow control of the card 
reading routine of step 34. Preferably, when a card is 
inserted into the card reader 10 a first timer of about 2.5 
seconds is enabled and if the card is removed within this 
time (step 71) the processor 15 determines at step 76 
whether the information read from the card is valid and 
returns a signal indicative thereof to the main process flow 
of FIG. 4 (step 40) via connector 35. Alternatively, if this 
first timer expires, a *TAKE CARD OUT* screen is dis- 
played, an intermittent "normal bell** sound is generated, 
indicating that the card should be removed, and a second 
timer of about 17.5 seconds is started (step 72). The **normal 
bell" sound is repeated during the 17.5 seconds. If the card 
is removed within the second timer interval (step 73) then 
the process progresses to step 76. If, however, the card 
remains in the card reader after the second timer expires, a 
third timer of about 3 minutes is started at step 74, and it is 
determined whether the card is removed within this time 
period. Failure to remove the bank card within this approxi- 
mately 3 minute period results in displaying an *t)UT OF 
SERVICE*' screen in step 75. In this condition, the ATM is 
down and the touch screen display 14 is nonresponsive until 
the card is removed. Removal of the card within this time 
period causes the process flow to branch to step 45 of FIG. 
4 as illustrated by connector 44. 

Upon branching to step 45 the ATM presents a "bad 
transition** sound and displays a "SORRY** screen for sev- 
eral seconds, indicating that an error has prevented a suc- 
cessful transition to the next screen and that the transaction 
session is aborted. This step is followed by restarting the 
operational flow in step 31 of FIG. 3 as illustrated by 
connector 30 which corresponds to the similarly labeled 
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connector in FIG. 3, While the "SORRY" screen is displayed upper right '*Go" quadrant, the touch being confirmed by a 

(step 45) the touch screen display quadrants are inactive normal beep sound. The reinitialization steps 45 and 30 are 

(i.e., nonresponsive to touch). TTiis reinitialization sequence performed if fewer than the minimum allowable number of 

occurs for all errors throughout the operational flow of the PIN digits were entered; otherwise, if the PIN were correctly 
present embodiment. 5 entered progression to step 42 is made in which the proces- 

Retuming now to the main flow illustrated in FIG. 3, the sor 15 communicates with the central customer database 16 

described card reading routine of step 34 will either result in to determine the validity of the PIN. During this time, a 

the *'OLrr OF SERVICE" condition of step 75 (FIG. 6), or "PLEASE WATT* screen is displayed which is nonrespon- 

rehim a '"bad read'* output or a "good read" output to step 40 sive to touch, and a '^ck-tock" sound is generated indicaUng 

(FIG. 4) by connector 35. A "bad read" output activates the that the ATM is processing and that the user should wait for 

reinitialization sequence (step 45), In the event of a "good an additional prompt. 

read " the system progresses from step 40 to step 41 in which Once the processing is complete, an invalid PIN results in 

a screen for entering a personal identification number (PIN) the reinitialization procedure: presenting a "SORRY" screen 

is displayed and "good transition" sound #2 is presented. and a **bad transition" sound (step 45) followed by restarting 

Preferably, as a further aid in progressing through the the flow sequence (step 30). A valid PIN results in the ATM 

transaction steps, all "good transition" sounds have the same generating the "good transition" sound #3 upon progressing 

fundamental sound pattern as the first such sound but each to step 43 in which the user may select a transaction. Using 

is a multiple of the first in pitch, and/or number of times the screen schematically depicted in step 43, the customer 

repeated, and/or tempo. may choose either a cash withdrawal or a fund deposit by 

En a typical prior art display, a graphic/textual screen such touching either the lower left "CASH" quadrant or the lower 

as that shown in FIG, 7 is projected onto the touch screen right "DEPOSIT" quadrant, respectively. On either of these 

display for entering numerical information, such as the PIN. two quadrants, one touch presents a "normal beep" sound 

This is done by touching the appropriate zone for each while any combination of two touches (i.e., two touches of 

numerical value followed by touching the *'Enter" zone. For the "CASH" quadrant, two touches of the ''DEPOSIT* 

a visually impaired individual this prior art display has an quadrant, or one touch each of the "CASH'* and the 
excessive number of limited area touch zones. In fact, for a ^ "DEPOSIT' quadrants) presents a "normal boop'* sound at 

visually impaired individual such a display is generally more the occurrence of the second touch which is followed by the 

difiicult to operate than displays which employ mechanical reinitialization procedure. 

touch switches, since the mechanical switches allows for Touching the "GO*' quadrant after a proper selection 

orientation by touch without causing a switch to be acti- confirms that transaction selection and presents a "normal 

vated, whereas not only is it challenging to orient oneself to beep" sound. If "GO" were touched without selecting a 

the projected screen of FIG. 7 without inadvertently touch- transaction, the flow branches to the reinitialization proce- 

ing one of the active **buttons" but also, once oriented it is dure. Touching the "EXIT' quadrant is also confirmed by a 

still difficult to touch the desired "button" region. "normal beep*' sound and is followed by the reinitialization 

In contrast, the screen display depicted in step 41 for procedure which includes the "bad transition" sound and the 

entering a multidigit PIN number according to the present "SORRY" screen followed by restarting the process flow 

invention is well suited for use by a visually impaired (step 30). 

individual. The quadrants are respectively labeled as "Exit " jf "CASH** were selected successfully in step 43 (FIG. 4) 

"Go," "Enter," and "#** (i.e., the number sign), and a central "good oansition" sound #4 is presented and the process flow 
rectangular field (known in this step as the PIN field) ^ branches to step 51 (FIG. 5) in which the customer enters the 

symmetrically overlaps a portion of each active quadrant desired quantity for the cash withdrawal using a screen such 

which still abut each other below the PIN field. For each as that depicted in step 51. Using the same procedure as 

digit of the multidigit PIN the customer taps the lower right described above for the PIN number entry, the customer 

"#** quadrant a number of times equal to the digit and then enters the desired cash withdrawal amount Thus, for each 

touches the lower left "ENTER" quadrant in order to enter digit of the desired amount the customer touches the lower 

the corresponding digit and delimit it from any succeeding right quadrant, in this case labeled by "$'* (i.e., dollar sign), 

digit which is similarly entered. For instance, entering the a number of times equal to the digit, followed by touching 

number 3 consists of tapping the lower right "#'* quadrant the lower left "ENTER** quadrant to enter the digit. As they 

three times followed by touching the lower left "ENTER*' are entered, digits are displayed in the central rectangular 

quadrant once. Consistent with this method, entering a zero field of the screen. Touching the upper right "GO" quadrant, 

consists of solely touching the "ENTER*' quadrant without confirmed by a "normal beep" sound, indicates the conclu- 

first touching the "#*' (i.e., zero taps in lower right; once in sion of entering the cash value. Typically, the cash with- 

lower left to enter digit). drawal request must be a multiple of ten (e.g., $10, $20, 

A "normal beep" sound is generated at a lower volume for etc.), and entering an invalid quantity causes branching to 
each lap at both the lower left and lower right quadrants. For 55 the reinitialization procedure, as does any other error, or 
each digit entered, an asterisk is displayed to the right of any touching the upper left "EXIT* quadrant, 
preceding asterisk within the PIN field. If, for any reason, a proper cash value request causes progression to step 52 
the customer wishes to abort the transaction session, then in which the processor 15 determines whether the transac- 
touching the upper left "EXIT* quadrant, confinned by a tion is authorized according to the information available 
**norraal beep** sound, ends the session and reinitiates the 50 from the central customer database 16. During this process- 
transaction process flow at step 30 via step 45, as previously ing, the previously described "PLEASE WAIT' screen and 
described. This reinitialization procedure also occurs if the associated "tick-tock" sound are presented to the customer, 
user touches the lower right quadrant greater than nine times Refused authorization results in the reinitialization routine, 
for any single digit or attempts entering more than the defined by step 45 followed by step 30. Authorization results 
maximum allowable number of PIN digits. 65 in displaying the *TAKE CASH" screen and presenting the 

After entering all the digits of the PIN by this method, the cash at cash dispenser 12 until the customer removes the 

customer indicates completion of this step by touching the cash or a predetermined maximum time period expires (step 
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53). If the user does not remove the cash from the cash 
dispenser 12 within this allotted time period the ATM 
retracts the dispensed cash. Preferably, cash is dispensed in 
a single denomination. Upon retraction of the cash by the 
ATM or retrieval of the cash by the customer, the process . 5 
flow proceeds to step 64 in order to print a transaction 
record. 

If "DEPOSIT' were selected successfully in step 43, 
"good u^sition" sound #4 is presented and the process flow 
branches to step 56 in which the customer enters the quantity jq 
of the deposited funds using essentially the same screen and 
method used for the cash withdrawal process. Depositing 
funds, however, must allow for entering cents values and 
thus, the last two digits entered by the customer always 
represent cents. For example, to deposit $123 the customer 
enters each digit in the sequence *' 12300" from left to right 
with the decimal implied. Any errors associated with enter- 
ing the deposited value result in the reinitialization 
sequence. Properly entering the deposited value and touch- 
ing the **G0" quadrant in step 61 progresses the process flow 
to step 62. During the '^PLEASE WATT' screen display and ^ 
associated *1ick-tock". sound (step 62), the processor links to 
the central customer data base 16 and upon connection 
proceeds to step 63 in which a display prompts the customer 
to insert an envelope into deposit envelope receiver 11. If an 
envelope is not detected, then the reinitialization routine ^ 
occurs via connector 55, whereas detection of an envelope 
advances the process flow to step 64. 

In step 64, a transaction record is printed and presented by 
the record dispenser 13. Any error occurring during the 
printing step (e.g., printer failure) initiates the reinitializa- 
tion sequence. Proper execution of the printing step 64 
yields a "good bye" sound in transition to step 65 in which 
a *THANKS'* screen is displayed for a short period of time 
before the process flow branches to the initial step 31 via 
connector 30, thereby rendering the ATM ready for another 
transaction session from either a disabled or non-disabled 
user. 

The description of the foregoing illustrative embodiment 
should not be construed as limiting the scope of the inven- 40 
tion, and it will be readily understood by those persons 
skilled in the art thai the present invention is susceptible to 
many modifications, adaptations, and equivalent implemen- 
tations without departing from its scope. For example, the 
illustrated method to enter numerical values may be applied 45 
to other systems and applications. Also, while the preferred 
embodiment is herein described in connection with a touch 
screen display, the present invention may be practiced with 
other types of touch responsive interfaces (e.g., interfaces 
including pushbuttons or other tactile transducers). Further, 50 
different methods may be used for indicating completion of 
a numerical entry; for example, by having a maximum 
allowable time interval between successive taps for speci- 
fying a given digit with delays exceeding this maximum 
indicating that the next digit will be entered. The process 55 
flow may also be modified such that the user enters the 
desired number of bills for cash withdrawals; for example, 
for a machine dispensing twenty dollar bills an individual 
would touch the screen five times to withdraw one hundred 
dollars. Alternatively, different denominations may be made 50 
available by having separate regions of one screen, or 
separate screens, for specifying the desired number or cash 
vsdue of each denomination. 

These and other changes can be made without departing 
from the spirit and the scope of the invention and without 65 
diminishing its attendant advantages. It is therefore intended 
that the present invention is not limited to the disclosed 
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embodiment but should be defined in accordance with the 
claims which follow. 
We claim: 

1. A method of inputting any multidigii number into a 
processing machine having a touch responsive interface 
comprising the steps of: 

a) u^smitling a signal representing one digit of said 
number to the processing machine by touching a first 
location of said touch responsive interface a number of 
times equal to said digit; and 

b) transmitting a signal to the processing machine indi- 
cating the completion of said inputting of said digit by 
touching a second location on said touch responsive 
interface one rime, 

c) repearing steps a) and b) for each digit of said multidigit 
number: and 

d) transmitting a signal to the processing machine indi- 
cating the completion of said inputting of said multi- 
digit number by touching a third location on said touch 
responsive interface 

wherein said first, second and third locations of said touch 
responsive interface are physically distinct areas of said 
touch responsive interface and are disposed relative to 
borders of said touch responsive interface. 

2. The method according to claim 1 wherein said number 
is a plurality of digits each of said digits having a value 
between 0 and 9, said plurality of digits forming a multidigit 
value, said method further comprising the steps of: 

repeating the steps of claim 1 for each digit of said 

multidigit value; and 
transmitting a signal to the processing machine indicating 

the completion of said inputting of said multidigit 

number by touching a third location on said touch 

responsive interface. 

3. The method according to claim 1 wherein said pro- 
cessing machine is an automatic teller machine. 

4. The method according to claim 1 wherein said pro- 
cessing machine generates sounds in response to said touch- 
ing of said touch responsive interface. 

5. The method according to claim 1 for inputting a number 
into said processing machine further comprising additional 
information inputting steps required for completing a pro- 
cess performed by said processing machine, successful 
transition between said inputting steps being audibly sig- 
nalled by said processing machine. 

6. The method according to claim 1 wherein said touch 
responsive interface includes a touch screen display. 

7. The method according to claim 6 wherein said touch 
screen display is divided into quadrants, each quadrant being 
separately responsive to touch. 

8. The method of dividing said screen according to claim 
7 further comprising a separate touch responsive zone along 
the periphery of said touch screen display. 

9. A method, suitable for use by the visually impaired, of 
inputting a multidigit number into a processing machine 
having a touch screen display comprising the steps of: 

controlling said screen such that it comprises a limited 
number of large areas to facilitate access by the visually 
impaired; 

transmitting each digit of said multidigit number to said 
processing machine by touching a first location on said 
screen a predetermined number of times representative 
of each digit of said multidigit number followed by 
touching a second location on said screen; and 

transmitting a signal to the processing machine indicating 
the completion of said inputting of multidigit number 
by touching a third location on said screen. 
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10. The method according to claim 9 wherein said pro- 
cessing machine is an automatic teller machine. 

11. The method according to claim 9 wherein said pre- 
determined number of times representative of each digit 
equals the numerical value of said digit. 5 

12. A financial transaction method for using an automated 
teller machine having a touch screen display comprising the 
steps of: 

initiating a transaction session by touching said touch 
screen display a predetermined number of times in a 
predetermined location; 

inputting each digit of a mullidigit identification code into 
said automated teller machine by touching a first loca- 
tion on said screen a predetermined numbra- of times 
representative of said digit of said multidigit identifi- 
cation code, followed by touching said touch screen 
display a predetermiaed number of times in a second 
location; 

touching said touch screen display a predetermined num- 
ber of times in a third predetermined location, indicat- 
ing completion of said inputting step and initiating ^ 
transaction selection step; 

selecting a transaction type by touching said touch screen 
display a predetennined number of times in one of a 
plurality of locations, each of said locations represent- 
ing one of said transaction types, followed by touching 
a separate location not encompassed by said plurality of 
locations; and 

entering subsequent multidigit values associated with 
selected said transaction type according to the touching 
method described by said inputting step and touching 30 
step. 

13. The method according to claim 12 wherein said 
predetermined number of times representative of said digit 
equals said digit. 

14. The method according to claim 12 wherein said touch 35 
screen display is arranged such that identical options at 
different steps correspond to same said predetermined loca- 
tion. 

15. The method according to claim 12 wherein said touch 
screen display is divided into quadrants. 40 

16. The method according to claim 12, wherein said 
transaction types, selected in said selecting step, include 
withdrawing cash and depositing funds. 

17. An apparatus for administering an operational process 
flow for data processing comprising: 45 

a) a touch screen display adapted for inputting a multidigit 
number by touching a first location of said screen a 
number of times equal to one digit of said number; and 

b) a processor, connected to said touch screen display, 
adapted for receiving said number and controlling said 50 
operational process flow; 

c) said touch screen display having a second location 
adapted to transmit a signal to the processing machine 
indicating the completion of said inputting of said digit 
by touching said second location: 

wherein said first and second locations are touched for 
each digit of said multidigit number, said first location 
being touched a number of times equal to each of said 
digits followed by said second location being touched 
one time to indicate that the inputting of each of said 60 
digits by said touching of first location has been com- 
pleted: and 

d) said touch screen display having a third location 
adapted to transmit a signal to the processing machine 
indicating the completion of said inputting of said 6S 
multidigit number by touching said third location 
wherein said first, second and third locations of said 



touch screen display are physically distinct areas of 
said touch screen display and are disposed relative to 
borders of said touch screen display. 

18. The apparatus according to claim 17 wherein said 
apparatus is an automatic teller machine. 

19. Ah apparatus for administering an operational process 
flow for a data processing machine comprising: 

a) means for inputting a multidigit number by touching a 
first location and a second location of said inputting 
means; and 

b) means, connected to said inputting means, for control- 
ling said operational process flow; 

wherein said first and second locations are touched for each 
digit of said multidigit number, said first location being 
touched a number of times equal to each of said digits 
followed by said second location being touched one time to 
indicate that the inputting of each of said digits by said 
touching of first location has been completed: and 

c) said inputting means having a, third location adapted to 
transmit a signal to the processing machine indicating 
the completion of said inputting of said multidigit 
number by touching said third location wherein said 
first, second and third locations of said inputting means 
are physically distinct areas of said inputting means and 
are disposed relative to borders of said inputting means. 

20. The apparatus according to claim 19 wherein said 
apparatus is an automatic teller machine. 

21. The apparatus according to claim 19 wherein said 
inputting means includes a touch screen display. 

22. A computer based system for performing financial 
transactions using an automated teller machine comprising: 

a touch screen display for displaying a plurality of display 
screens, each display screen including a plurality of 
regions, each region being separately responsive to 
touch for receiving information and generating a signal, 
the sequence of said display screens being selectively 
determinable by said touch; 

a card reader for reading information stored on a trans- 
action card; 

a cash dispensing means for disbuning an amount of cash, 
said amount being entered via one of said display 
screens; 

a fund deposit means for receiving an amount of funds, 
said amount being entered via one of said display 
screens; 

a transaction record means for providing, at the conclu- 
sion of the transaction session, a record summarizing 
certain results of said session; and 

a processor for receiving signals from said touch screen 
display and card reader, said processor generating 
appropriate audible cues and display screens while 
controlling said cash dispensing means, said fund 
deposit means, and said transaction record means; 

and wherein, numerical information, comprising a 
sequence of digits, is applied to said touch screen 
display for each of said digits by touching a first 
predetermined region a number of times equal to value 
of one of said digits, followed by touching a second 
predetermined region signifying completion of the 
entry of that digit; and wherein tiie input of said 
numerical information is indicated by touching a third 
predetermined region. 

23. The apparatus according to claim 22 further compris- 
ing braille labels mounted adjacent to said card reader, said 
cash dispensing means, said fund deposit means, and said 
transaction record means, for indicating each respective 
function. 
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[57] ABSTRACT 

Systems which comprise (a) an automatic teller machine 
which includes a plurality of customer interfaces such as a 
bank card reader, a banking record dispenser, a cash dis- 
penser, and a receptacle for receiving bank deposits; (b) 
infrared remote communication emitters and (c) individual 
short range infrared communication emitters located in the 
teller machine. The emitters (b) are adapted to provide 
repealing, directionally sensitive frequency modulated mes- 
sage signals identifying the direction to and location of the 
teller machine. Thus a person having a portable receiver for 
such signals is led to the machine and is enabled to position 
himself/herself in front of the machine in order to operate it. 
The respective emitters of (c) provide a separate repeating, 
directionally sensitive frequency modulated message signal 
which at least identifies the location of the respective 
customer interfaces on the teller machine so that by move- 
ment of the portable receiver in front of the machine, the 
location on the teller machine of the respective customer 
interfaces can be determined. Feedback concerning the 
transactions can also be provided from the system to the 
customer through the portable receiver. 

13 Claims, 2 Drawing Sheets 
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ACCESSIBLE AUTOMATIC TELLER 
MACHINES FOR SIGHT-IMPAIRED 
PERSONS AND PRINT-DISABLED PERSONS 



TECHNICAL FIELD 

This invention relates to automatic teller systems rendered 
accessible for sight-impaired persons and print-disabled 
persons. lO 



BACKGROUND 

A recent analysis of the National Center for Health 
Statistics estimated that 4,3 million non-institutionalized 
people in the United States had difficulty reading the news- 
paper with their corrected vision — a functional definition of 
perceived limitations termed "Severe Visual Impairment" 
(Nelson and Dimitrova, JVIP, March, 1993). An additional 
2.3 million people also reported difficulty with seeing 
medium to far distances. Another recent study (Chiang, et. 
al, Milbank Quarterly, 1992) estimates 1.1 million people 
are legally blind under the definition of tested acuity (<20/ 
200). Many other disabilities prevent persons from reading 
print In addition to people who are blind or have low vision 
and may not be able to see the print, there are many stroke, 
head-injured, autistic and dyslexic (or even just education- 
ally impaired) persons who may not be able to assimilate 
printed language even though they can see the page. Many 
people can accept this information through speech. 

In recent years an information and wayfinding system has 
been developed for assisting blind, low-visioned and other- 
wise print-handicapped individuals. The system, marketed 
under the trademark Taking Signs, consists of infrared ^5 
transmitters and receivers. Transmitters are placed on key 
signs in the environment which continually transmit the 
message of the sign. The receiver is carried by the person 
who activates it when direction or information is desired. 

A widely-used, highly popular method of conducting 40 
banking transactions involves use of automatic teller 
machines, commonly referred to as ATMs. Unfortunately, 
heretofore ATMs have had extremely limited accessibility 
for sight-impaired persons and print-disabled persons. Even 
if an ATM were to be provided with tactile displays, such as 45 
instructions in braille, the individual would have to be at the 
location of the ATM before the person could identify the 
information it bears. Moreover, the person would have to 
search for the location of such displays and the location of 
the relevant customer interacting means of the ATM, such as 50 
the bank card reader, the banking record dispenser, the cash 
dispenser, and slot or other mechanism for receiving bank 
deposits. And in addition, even after making use of the ATM 
the person would have to make the assumption that the 
desired banking functions were in faa accomplished. No 55 
positive on-the-spot reassuring feedback is available to the 
sight-impaired person or the print-disabled person. 

A need thus exists for an effective way by which an ATM 
can be rendered accessible and user-friendly to sight-im- 
paired persons and to print-disabled persons, without in any 60 
way diminishing the utility of the ATM for persons who arc 
not sight-impaired or print-disabled. In fulfilling this need, it 
is also highly important not to interfere with the operation of 
the ATM, or necessitate major or costly modification of the 
ATM apparatus. This invention is deemed to fulfill this need 65 
and to satisfy these requirements in a highly effective and 
efficient manner. 



SUMMARY OF THE INVENTION 

The present solution to the problem of providing acces- 
sible, user-friendly elecuronic banking terminals for use by 
sight-impaired persons and by print-disabled persons 
approaches the problem at various interrelated levels — each 
level going technically deeper into the system. The first level 
or step provides an effeaive way to identify the existence of 
and location of the teller machine. At the second level there 
is provided an information output mechanism to the cus- 
tomer appropriate to the customer's needs, once the cus- 
tomer has located the teller machine. And at the third level, 
there is provided an information input mechanism from the 
customer and an information output to the customer, both 
appropriate to the customer's abilities. 

In one of its embodiments this invention provides an 
automatic teller system rendered accessible for sight-im- 
paired persons and print-disabled persons, which system 
comprises: (a) an automatic teller machine which includes 
customer interacting means such as, for example, a bank 
card reader, a banking record dispenser, a cash dispenser, 
means for receiving bank deposits, etc.; (b) infrared remote 
communication means providing repeating, directionally 
sensitive frequency modulated message signals identifying 
the direction to and location of the teller machine such that 
a person having a portable receiver for said signals is led to 
and enabled to position himself/herself in a proximate 
operative relationship with the teller machine; and (c) indi- 
vidual short range infrared communication means in the 
teller machine, each said short range infrared communica- 
tion means providing at least a separate repeating, direc- 
tionally sensitive frequency modulated message signal iden- 
tifying the location of the respective customer interacting 
means on the teller machine such that said person can by 
suitable movement of such portable receiver in proximity to 
the teller machine identify the location on the teller machine 
of the respective customer interacting means. In addition the 
systems of this invention preferably also include short range 
infrared interactive communication means in the teller 
machine providing frequency modulated message signals 
for conveying transaction information to the receiver of the 
person while located in an operative relationship with the 
teller machine. The transaction information can at least in 
part be transmitted in response to use or actuation by the 
person of respective customer interacting means of the ATM 
and thereby serve as positive feedback to the person oper- 
ating the ATM. Using the principles of this invention, still 
other types of interactive conmiunication can be pro- 
grammed into the system to provide other information to the 
customer on request, such as account balance information, 
current interest rates, and so forth. 

Item (a) above can be any type of ATM which enables the 
user to conduct banking transactions such as withdrawal of 
money from one's account or depositing money to one's 
account. Devices of this type are in widespread use and thus 
further description is deemed unnecessary. Without in any 
way limiting the scope of this invention to any particular 
type of ATM, one interested in descriptions of devices of this 
type may refer, for example, to U.S. Pat. No. 4,314,352 to 
H. D. Fought; U.S. Pat. No. 4,318,354 to L. A. Fish; U.S. 
Pat. No. 5,382,777 to T. Yuhara et at,, and references cited 
therein. 

Infrared remote communication means (b) above is/arc 
particularly appropriate for open spaces where tactile signs 
are inappropriate; they label the environment for distant 
viewing. Such means operate in a '^broadcast" mode and 
allow sight-disabled or print-impaired people to directly 
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know not only what the item is, but where the item is. Just 
as sighted persons visually scan the environment to acquire 
both label and direction information, means (b) above 
directly orients the person to the labeled goal and constantly 
updates the person as to progress to that goal. That is, unlike 5 
Braille, raised letters, or voice signs which passively label 
some location or give mobility instructions to some goal, 
infrared means (b) above, which typically is in the form of 
an array of infrared emitters, provides a repeating, direc- 
tionally selective voice message or a series of such messages 
at least one of which originates at the location of the ATM 
and others of which may emanate from places leading to that 
location. All such messages are transmitted to a hand-held 
receiver. The direction selectivity is a characteristic of the 
infrared message beam and ensures that the person using the 
device gets constant feedback about his or her relative 
location to the goal as she or he moves towards it. 

Means (c) above enables the customer, when suitably 
positioned relative to the ATM— usually directly in front of 
it and close enough to operate the customer interacting ^ 
means thereof, such as a bank card reader, a banking record 
dispenser, a cash dispenser, and a receptacle or slot for 
receiving bank deposits — to first locate the precise position 
of the customer interacting means and then to perform the 
desired functions. To locate the precise position of the ^ 
customer interacting means the customer need only slowly 
sweep the receiver across the face of the ATM. As the beam 
of each infrared emitter is encountered it communicates to 
the receiver and thence to the customer not only what 
customer interacting means is at, or in close proximity to, the 
source of that infrared signal, but precisely where that 
customer interacting means is located on the ATM. Indeed, 
by moving the receiver to U^e the signal beam back to the 
surface of the teller machine, the customer can then nianu- 
ally touch and learn the configuration of the interacting 
means. The signal can also be progranuned to give instruc- 
tions on how to operate that particular customer interacting 
means and in what direction to move the receiver to find the 
other customer interacting means that the customer may 
wish to find. Means (c) can also be programmed to provide ^ 
feedback to the customer to confirm the extent, nature and/or 
completion of the transaction. Alternatively, separate means 
(d) can be included in the system for providing such feed- 
back and, to whatever extent desired, other forms of inter- 
action with the customer. ^2 

The system thus conveys transaction information to the 
receiver of the customer as the customer conducts the 
selected operations made possible by the ATM. For example, 
the means of (c) or (d) can be programmed to inform the 
customer whether the proper PIN code has been entered and 50 
that subsequent entries to the ATM are operating under the 
desired menus by virtue of proper key presses and properly 
synchronized responses to such key presses. Similarly, if the 
amount of a cash withdrawal requested exceeds the account 
balance, the signal from means (c) (or (d) if used) can be 55 
programmed to inform the customer of the situation, what 
account balance is available for withdrawal, and what can be 
done under the circumstances, and how to proceed with the 
approach the customer elects to pursue (e.g., proceed with a 
more limited permissible cash withdrawal or cancel the go 
entire proposed transaction). 

Means of (c) and (d) above typically operate in a **nar- 
rowcast*' mode can be arranged to emanate from the same or 
different infrared emitters. The emitters and the elecuxtnics 
associated therewith are preferably placed within the cabinet 65 
or housing of the ATM. In this way the system is rendered 
vandal-resistant and inconspicuous to sighted individuals. 



The infrared transmitters themselves are relatively small 
physically. For example, a 4x4 inch circuit board can readily 
acconunodaie the speech, clock and infrared LED driver 
circuits. In preferred arrangements the infrared emitters are 
placed in or immediately behind small apertures (e.g.. 0.125 
inch diameter) in the front face or panel of the ATM or in 
small bezels attached to and through the front face or panel 
of the fiCTM, A prefenred bezel is disclosed in commonly- 
assigned U.S. patent applications Ser. Nos. 08/539,358, and 
29/044,997, both filed Oct. 5, 1995. the disclosures of which 
are incorporated herein in total by reference for all purposes. 
An advantage of all such arrangements is that not only are 
the infrared signals easily detected by the customer's 
receiver but the customer's body serves as a light shield to 
ensure that only the customer's receiver would pick up the 
transaction information. 

In all cases, the infrared signals utilized in the systems of 
this invention are picked up by a portable directional 
receiver which typically comprises (i) a non- visual commu- 
nicator such as a small audio speaker or small audio ear- 
phone system, (ii) a self-contained source of electrical 
energy, (iii) a detector for receiving a sensed continuous 
frequency modulated infrared signal, and (iv) electronics 
converting the sensed signal into intelligible non-visual 
communication emanating frt)m the communicator. Suitable 
receivers are available from Talking Signs, Inc.. Baton 
Rouge, La., and information concerning such devices has 
been published. A particularly preferred portable directional 
receiver for such use is described in detail in commonly- 
assigned co-pending application Ser. No. 08/496,970, filed 
Jun. 30, 1995, all disclosure of which is incorporated herein 
by reference for all purposes. The receiver therein described 
has the advantage, inter alia, of giving good performance 
even when the receiver is in use in the presence of an 
ambient background of light energy. 



BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 is a block diagram illustrating a typical system for 
installation in an automatic teller machine to serve both as 
one of the individual long range infrared communication 
means (b) above and as a plurality of short range infrared 
conrmiunication means (c) above (and (d) above, if used as 
separate means). 

FIG. 2 is a circuit diagram for a typical frequency 
modulation circuit and associated infrared driver network 
for use in a system of FIG. 1. 



DESCRIPTION OF PREFERRED 
EMBODIMENTS 

As noted above, automatic teller machines per se are well 
known and, standing alone, form no part of this invention. 
Likewise a remote infrared information and way finding 
system has been developed and is available for use as the 
infrared remote communication means (b) above. These 
systems are marketed under the trademark Talking Signs by 
Talking Signs, Inc., Baton Rouge, La., and ftmher informa- 
tion concerning such systems can be found, for example, in 
a book published by The Smith-Kettlewell Eye Research 
Institute (San Francisco, Calif.) entitied Remote Signage for 
the Blind and Print Handicapped. Although standing alone 
neither means (a) nor means (b) above is novel per se, so far 
as is known, the combination of means (a) and means (b) is 
itself novel. 
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Turning now to the system in the form depicted in FIG. 1, 
output from TEXT-TO-SPEECH CONVERTER AND 
MULTIPLEXER UNIT 20 is received and processed by a 
plurality of FM MODULATOR & IR DRIVERS 30, the 
respective outputs from which are emitted by suitably pow- 5 
ered arrays of single channel emitters each of which delivers 
a continuous frequency modulated infrared signal. In FIG. 1 
the array serving as means (b) above is the referred to as the 
"HIGH POWER ARRAY FOR ATM LOCATION". Each 
individual means (c) (and means (d), if used separately) is 
referred to in FIG. 1 as "LOW POWER ARRAY FOR ATM " 
FUNCTION IDENTIFIER". Any suitable number of such 
high and low power arrays and their respective modulators 
and drivers 30 can be provided as deemed necessary or 
appropriate for any given ATM installation. 

The individual high and low power arrays serving respec- 
tively as the remote conmiunication means (b), and the short 
range infrared locator communication means (c) (and (d) if 
used separately) typicaDy comprise an array of single chan- 
nel emitters each of which delivers a continuous frequency 
modulated infrared signal in the pattern of a cone having a 
beam width in the range of about 10° to about 50° at a 
modulated frequency of 25 KHz with a 6 KHz band width 
and having an infrared carrier frequency in the range of 850 
to 950 nanometers. A principal difference between the high ^5 
and low power arrays resides in the excitation power to the 
diode. Also, depending on the size of the teller machine, the 
cone beam width of the individual low power arrays may be 
narrower than that of a high power array. Text-to-speech 
converter and multiplexer units 20 are available as articles of 
commerce. 

FIG. 2 illustrates the electronics and circuitry for gener- 
ating the infrared signal for transmission by an array com- 
posed of one or more infrared LEDs in a series configura- 
tion. As shown in HG. 2, the system processing the output 35 
signal from the text-to-speech unit for ultimate transmission 
via the infrared emitters comprises a buffer/amplifier circuit 
40, a frequency modulation circuit 50, an emitter follower 
amplifier 60, and an LED array driver 70, the respective 
components of which are set forth in FIG. 2 itself. As can be 40 
seen from FIG. 2, the analog signal from the text-to-speech 
unit is input to the buffer amplifier circuit of Ul via capacitor 
CI. The gain is determined by the value of potentiometer 
R4, adjustable for gains from 0 to 5. The output signal from 
buffer/amplifier circuit 40 is directed to the frequency modu- 45 
lation circuit of U2 via capacitor C2, Frequency modulation 
circuit SO converts the amplified analog voltage signal from 
circuit 40 into a frequency modulated signal centered at a 
carrier frequency of 25 KHz. The carrier frequency is set by 
adjustment of potentiometer R8. The frequency modulated 50 
output from circuit SO is transferred to the emitter follower 
amplifier of transistor Ql via resistor R9. The potentiometer 
RIO of amplifier 60 is used to excite the base of the LED 
array driver of Q2. The resistor RU of LED anay driver 70 
is selected to hmit the current flowing in the collector circuit 55 
containing the LED array (composed of one or more infrared 
LEDs in a series configuration) to prevent damage to the 
array due to excessive current flow. The power supply to the 
LED array is in the voltage range from +5 VDC to 4-15 VDC. 

As noted above, the infrared remote communication 60 
means (b) above operate(s) in a **broadcast" mode whereas 
the short range infrared communication means operate in a 
"narrowcast" mode. This differentiation can be readily 
accomplished by regulating the excitation power to the 
respective emitter diodes. Thus typically the excitation 65 
power to the diode of means (b) above will be in the range 
of at least about 10 milliwatts up to about 1000 milliwatts, 
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whereas the "narrowcast" operation of the short range 
diodes such as means (c) is typically effected by use of 
excitation power in the range of about 1 to about 10 
milliwatts. In will be understood and appreciated, however, 
that departures from these ranges may be made whenever 
deemed necessary or desirable in any given situation, and 
such departures are within the ambit of this invention. 

The instructions and information progranmied into the 
systems for transmission to the customer via the infrared 
signals is preferably in universal ASCII format, but can be 
in the form of a binary code that provides for a voice 
message equivalence. Preferably, the voice message equiva- 
lence is digitally recorded natural speech. However, the 
voice message equivalence can be synthesized speech, if 
desired. 

In one of its variant forms, this invention provides a 
control box to be used by the disabled person in conducting 
transactions with the ATM, once such person has been led by 
the system to a suitable location proximate to the ATM. If the 
customer is a Braille-reading person, the control box has 
labelled buttons and a Braille display of electromechanical 
pins with which all commands are transmitted to the ATM of 
a system of this invention and with which all feedback from 
such ATM are received by the person via tactile communi- 
cation. In the case of a severely disabled person requiring a 
joystick or chin operated controls, the conU*ol box is appro- 
priately configured for use by the disabled person in actu- 
ating the ATM system by means of the control box. In such 
case the control box is configured to receive the feedback in 
whatever manner is necessary or appropriate given the 
nature of the disablement. 

The entire disclosure of each and every U.S. patent and of 
each and every journal article, book or other publication of 
any kind, refened to in any portion of this specification is 
incorporated herein by reference for all purposes. 

This invention is susceptible to considerable variation in 
its practice. Therefore the foregoing description is not 
intended to limit, and should not be construed as linuting, 
the invention to the particular forms of the invention 
described with reference to the Drawings. Rather, what is 
intended to be covered is as set forth in die ensuing claims 
and the equivalents thereof permitted as a matter of law. 

I claim; 

1, An automatic teller system rendered accessible for 
sight-impaired persons and print-disabled persons, which 
system comprises: 

a) an automatic teller machine which includes a plurality 
of customer interacting means; 

b) infrared remote conmiunication means providing 
repeating, directionally sensitive frequency modulated 
message signals identifying the direction to and loca- 
tion of the teller machine such that a person having a 
portable receiver for said signals is led to and enabled 
to position himself/herself in a proximate operative 
relationship with the teller machine; and 

c) individual short range infrared communication means 
in the teller machine, each said short range infrared 
communication means providing a separate repeating, 
directionally sensitive frequency modulated message 
signal which at least identifies the location of the 
respective customer interacting means on the teller 
machine such that said penon can by movement of 
such portable receiver identify the location on die teller 
machine of the respective customer interacting means 
thereof. 

2. A system of claim 1 wherein said short range infrared 
communication means in the teller machine also provide 
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frequency modulated message signals for conveying trans- 
action information to the receiver of said person while 
located in an operative relationship with the teller machine, 
said information being in response to actions taken by the 
person using one or more of said customer interacting 5 
means. 

3. A system of claim 1 wherein said customer interacting 
means comprise a bank card reader, a banking record 
dispenser, a cash dispenser, and means for receiving bank 
deposits. 10 

4. A system of claim 1 wherein said infrared remote 
communication means and said individual short range infra- 
red conamunication means comprise separate arrays of 
single channel emitters each of which delivers a continuous 
frequency modulated infrared signal in the pattern of a cone 15 
having a beam width in the range of about 10® to about 50° 

at a modulated frequency of 25 KHz with a 6 KHz band 
width and having an infrared carrier frequency in the range 
of 850 to 950 nanometers, said remote communication 
means being operated at a higher power input than said short 20 
range infrared communication means. 

5. A system of claim 4 wherein said customer interacting 
means comprise a bank card reader, a banking record 
dispenser, a cash dispenser, and means for receiving bank 
deposits. 25 

6. A system of claim 4 wherein said system further 
comprises separate short range infrared communication 
means in the teller machine to provide frequency modulated 
message signals for conveying transaction information to the 
receiver of said person while located in an operative rela- 30 
tionship with the teller machine, said information being in 
response to actions taken by the person using one or more of 
said customer interacting means. 

7. An automatic teller system rendered accessible for 
sight-impaired persons and print-disabled persons, which 35 
system comprises: 

a) an automatic teller machine which includes as customer 
interacting means thereof, a bank card reader, a banking 
record dispenser, a cash dispenser, and means for 
receiving bank deposits; ^0 

b) one or more infrared remote communication means 
providing repeating, directionally sensitive frequency 
modulated message signals identifying the direction to 
and location of the teller machine such that a person 
having a portable receiver for said signals is led to and 
enabled to position himself/herself in a proximate 
operative relationship with the teller machine; 

c) individual short range infrared locator communication 
means in the teller machine, each said short range 



45 



infrared locator communication means providing a 
separate repeating, directionally sensitive frequency 
modulated message signal which at least identifies and 
leads lo the location on the teller machine of the 
respective customer interacting means such that said 
person can by movement of such portable receiver 
identify the location of the respective customer inter- 
acting means; and 
d) one or more short range infrared interactive conunu- 
nication means in the teller machine providing fre- 
quency modulated message signals for conveying 
transaction information to the receiver of said person 
while located in an operative relationship with the teller 
machine. 

8. A system of claim 7 wherein said remote communica- 
tion means comprises an array of single channel emitters 
each of which delivers a continuous frequency modulated 
infrared signal in the pattern of a cone having a beam width 
in the range of about 10° to about 50° at a modulated 
frequency of 25 KHz with a 6 KHz band width and having 
an infrared carrier frequency in the range of 850 to 950 
nanometers. 

9. A system of claim 7 wherein each said short range 
infrared locator conrmiunication means comprises at least 
one single channel emitter which delivers a continuous 
frequency modulated Infrared signal in the pattern of a cone 
having a beam width in the range of about 10° to about 50° 
at a modulated frequency of 25 KHz with a 6 KHz band 
width and having an infrared carrier frequency in the range 
of 850 to 950 nanometers. 

10. A system of claim 7 wherein said short range infrared 
interactive communication means comprises at least one 
single chaimel emitter which delivers a continuous fre- 
quency modulated infrared signal in the pattern of a cone 
having a beam width in the range of about 10° to about 50° 
at a modulated frequency of 25 KHz with a 6 KHz band 
width and having an infrared carrier frequency in the range 
of 850 to 950 nanometers- 

11. A system of claim 7 wherein the instructions and 
information programmed into at least (i) said short range 
infrared locator conmiunication means and (ii) said short 
range infrared interactive communication means is either in 
universal ASCII format or a binary code that provides for a 
voice message equivalence. 

12. A system of claim 11 wherein the voice message 
equivalence is digitally recorded namral speech. 

13. A system of claim 11 wherein the voice message 
equivalence is synthesized speech. 
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FIG. 29 illustrates a process by which searching and Infrastructure application, referred to above, as well as card 

retrieval of information is accomplished in accordance with reader primitives as set forth in the Smart Token application 

the invention. referred to above. This allows the user, be it an individual or 

FIG. 30 illustrates a process by which an order is guar- a software routine, to invoke security and card reading 

antecd in accordance with the invention. ^ capabilities using a standard consistent interface without 

FIG, 31 is another representation of a process by which an f ^ow the particular^funcdon^^^ 

order is placed in accordance with the invention. ^^'^^^^ pnmiUves. WorldZwiae.web-se rver.softwa re 

„^ . . 230~rcprcscnts'^any_one_of-several„standard_commercial 

FIG. 32 Illustrates relationships between a merchant s paci^ei= ^tilOo r -equippiag-a:compmer_ mthj^rld 

buswess apphcaUons software and other network compo- m^cil^ri^c^^E^aUty] The server softwar e may be sc^cr- 

^' configured to selectively utilize, directly the security and SeZh^tUX, 

BEST MODE FOR CARRYING OUT THE capabilities of the application programming 

INVENTION interface or may bypass those capabUities and drive com- 

munication software directly. Preferably, the server software 

_ ElG^7is:a:represeDtatioD: of:a:ne twork (ffl).-sucb-as tae^ j5 accommodates both modes of operation selectively. 

i-xW- Intenie^hich:is:eqmWed:for-ww Tlre-a nglication-softwar e-240-represenLs-aiiv-nuniher-of> 

meice^The network 100 seleaively links a variety of users apphcati55rS id^act-to- incoming messageslE^ 

together. Several network users have special fiinctions. cKe^-thiDUgh the-communkSi^S^rt-lo^ovide-the iP 

Network elements H, UO represent a vanety of electromc d^i^S^lS^tioS^ilFthS^^iim^ki?rA^p[i^^^^ 

. V ^ r\ n 1" accordance with the usual practice, a^jo leveT^iHdudrthose necessarylo handle one or more 

(yJplaMityiof:home:pa-ges:n.ay:be:resi^^^ ^^^^ ^^^^ by users of the world 

' (5^ ol s^i^ojLC' vJ puter_generallv^referred.to-as a A veb site .^Each.bLthe-home wide web server 

Ocrr>MP'vCuK^ pages:operatesias a:seryer:for:receiving:and:responding:to t^t^ ^ • m,* ■ ^ 

^ ^^'^«r,^^tf^r,o-o«^/^-«,-^o,,.«-f^ r.r.T-r.. ^r^\u^tt-r^^ FIG. 3 IS au lUustration of a computer mcorporatmg smart 

c^'W^conncctions_ana/or„mcssagcsrtromionc_or:morciclicnts-Cp . . . , . . . /_ ■ i- . 

»^ „„Hv;„oW«nr ;« oioof,^„;^ o«. i«n^ token hardware which can be used for runnmg either client 

(120J. Users participating in electronic commerce are logi- 25 server software 
cally related in a certification matrix using secufity^servers' 

0 > S^tfg^ 130 as set forth more in detail in the Infrastructure applica- 1° exemplary illustration, the computer is equipped 

^^^^''^ • tion referred to above. In addition, one or more indexing/. the usual display 300, keyboard 330, mouse 340 and 

/^^Ukz^'^ V^^^^s^ network. These ^"vcs 320. In addition, the computer is cqmpped with card 

S^'^ ^serversmay constitute white pages or yellow pages direc- 30 ^^^^^^ ^^^^^ ^^^^ ^"^^ ^^^"^^ io^a^m such 

tories and generally comply with CCIT T recommen dation ^"^^^ ^^^^ or PCMCIA cards. Preferably, the cards arc 

X.500. One or more sovTrs-may consBtut^^ smart cards and card readers both read/wnte smart cards. 

V pMy-(TTP):i50:5Ed"^f5?E::fiincabns:such~as Although the term "reader^' is used, it is to be understood 

oXa 92^\je/r<> notaryidrrescrow agent? Archiving::iER^i)n60 may pro- that the term, as used herem, is intended to cover the writing 

r I vide a r epository for documenting legal and contractual 35 smart tokens as a necessary and inherent part of a 

transactions and/or for maintaining certificate revocation "reader''. Card reader 350 is illustrated as connected to the 

aA.cVu»^\ lists as set forth more particularly in the Infrastructure computer over cable 360 which connects to a port on the 

S<^N/ application, referred to above. computer, such as an RS 232 port or via any other port or by 

LjL^ The Internet, including its world wide web a wireless connection. 

Y^pes^-^n subcomponents, contain large numbers of technically 40 ^^^^ ^^^^^'^ ^'^^^"^^^ d^^^'^^^ connected to 

sophisticated users, some of whom devote their time and computers, as illustrated in FIG. 1, or they may be built in 

efforts to "hacking" into other people's computer systems o^^er devices such as CPU 310, telephones, vending 

and gaining access to their information and/or implanting machines, or almost any computer equipped device, 

subroutines and viruses, the effects of which range from the Although card reader 350 is equipped with a slot 370 for 

humorous to the totally destructive. Thus, the Internet 45 insertion of a smart card, smart card readers are also 

environment, as it currently exists, is not suitable for reliable available which remotely sense the presence of a smart card 

and secure electronic transactions because of the extreme in the vicinity of the reader and communicate with the smart 

potential for compromise of credit card numbers and other card utilizing wireless technologies. In some such remote 

payment mechanisms and because of the unreliability of sensing card readers, the card readers broadcast an RF 

information posted to home pages, bulletin boards and the 50 energy signal which is detected by the smart card and a 

like. Thus, the augmentation of standard Internet environ- response is sent from the smart card back to the remote 

ment with security features, as illustrated in FIG. 1, is sensing card reader. An interchange of data may then occur 

necessary and desirable in order to facilitate electronic in both directions over the wireless link between the smart 

commercial transactions which are free of the problems of card and the reader. Some card readers are equipped with a 

the prior art 55 keypad and display. 

FIGZlIis^a^pjction of-a typical-so^^ FIG, 4 is a block diagram of an exemplary hardware 

a<worlci-wide-web servef> At the lowest level, an operating architecture of the computer of FIG. 3. CPU 410, keyboard 

system is utilized to provide high level functionality to the 430, mouse 440 and card reader 450 all correspond to items 

user and to other software. Such^arrop^ei^tingjystem^typi shown in FIG. 1. I/O controller 435, disk controller 425, 

callyjincludesIaZBIOS (BasicIInputlO^ 60 memory 415, RS-232 port 465 and network card/modem 

municatio"n^ftware 2103'rovides communications through 480 are not shown in FIG. 1 but are commonly found in 

C^mra^^MC^^^^ external port-to.CTetwprk byjri computer systems and are well known. Each of the devices 

<^d1>vOCVte. operatmg::systemlfunctioirility3^^ the shown in FIG. 2 intercommunicate over bus 475 either 

t) opaating:systeK(^rsh'own~6n^the~righ dirccUy or over their respective interfaces or controllers. 

accesMhe-hardware foTcornmunicationsroverihernetworb 65 One type of smart card reader which is preferred is the 

Item 220 represents an application programming interface model Quick Link card reader from Micro Card Technolo- 

which includes the security primitives set forth in the gies. It is a versatile, fast, reliable smart card interface which 
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SECURE WORLD WIDE ELECTRONIC Sender's authentication can also be achieved utilizing 

COMMERCE OVER AN OPEN NETWORK cryptographic systems. In a single key system, a sender, by 

encrypting a message wilh a key known only to authorized 

This application is related to U.S. application Ser. No, persons, tells the recipient that the message came from an 

08/573,025, filed Dec. 15, 1995 in the name of the same S authorized source. 

inventor and entitled SECURITY INFRASTRUCTURE In a public key cryptographic system, if the sender 

FOR ELECTRONIC TRANSACTIONS (hereinafter Infra- encrypts information using the sender's secret key, all recipi- 

structure application) which is incorporated herein by ref- ents will be able to decipher the information using the 

erence in its entirety. sender's public key, which is available to all. The recipients 

111 is application is also related to U.S. application Ser. lO can be assured that the information originated with the 

No. 08/573,033, filed Dec. 15, 1995 in the name of the same sender, because the public key will only decrypt material 

inventor and entitled SMART TOKEN SYSTEM FOR encoded with the sender's private key. Since, presumably, 

SECURE ELECTRONIC TRANSACTIONS AND IDEN- only the sender has the private key, the sender cannot later 

TIFI CATION (hereinafter Smart Token application) which disavow that he sent the information, 

is incorporated herein by reference in its entirety. 15 -j^^ encryption techniques provides a basis for 

Tcr-uMir-AT 171 PT n creating electronic signatures to documents which are even 

TECHNICAL FI ELD ^css subject to forgery than handwritten signatures. There are 

This invention is directed to the field of communication two ways in which encryption can be utilized to "sign" a 

systems and more particularly to communication systems document. The first method is by encrypting the entire 

which utilizes smart tokens, such smart cards or PCMCIA document using the signer's private key. The document can 

cards, and a public key infrastructure for enabling secure be read by anyone with the signer's public key and, since the 

electronic transactions to occur over an open network. signer alone possesses his private key, the encrypted docu- 
ment surely originated with the signer. Encryption of large 

BACKGROUND ART documents requires considerable computational resources 

Encryption of informaUon is normally undertaken to and, to speed up the process, a message digest may be used, 
ensure privacy, thai is, so that no one other than the intended ^ message digest of the document is analogous to a cycHc 
recipient can decrypt the information. Encryption is also redundancy code (CRC) check sum attached to the end of a 
undertaken to ensure the authenticity of the informaUon, that packet. The information in the body of the packet is pro- 
is, that a message which purports to originate with a par- 30 cessed mathematically to produce a unique check sum which 
ticular source actually does so and has not been tampered appended to the end of the packet. The integrity of the 
^jljj body of the packet is checked at the receiving end by 

"Encrypting" a message means to scramble it in a way recalculating the check sum based on the received text and 

which renders it unreadable to anyone except the intended .^"S "^^^^^^^ ^^f^^ f appended to the packet^ 

recipient. In one form, a cryptographic "key" is utihzed to 35 '\ ^''''' ''T/' u ^^^.^^^^ 

encrypt the message and the same key is required to trans- ^^^^^ ^ unchanged from that present at the sending end. 

form it from encrypted form back to plain text by decrypting ^^"^^ ^^^^ ^"^ire documents, 

it. An encryption system which operates in this way is modem unplemcntations, a message digest is created 

known as a "single-key" encryption system. In such a ^sing a cryptographically strong one way hash function 

system, the key must be available to both the sender and the 40 ^.^^^ message text and the message digest operates 

receiver. If unauthorized persons have access to the key, then ^^^^ a CRC check sum. 

they can decrypt the encoded message and the object of A clear text document may be signed by creating the 
privacy is defeated. The most obvious drawback of single message digest and then by encrypting the message digest 
key encryption systems is that it is not often convenient to using the signer's private key. Authentication that the con- 
provide the sender and the receiver with the same key, since 45 tent of the document has not been changed is achieved by 
they may be located far apart. A key can be transmitted • computing the message digest of the received text and 
across a secure channel from the sender to the receiver, but comparing it with the message digest decrypted using the 
if a secure channel is available, there is no need for encryp- signer's public key. If they agree, one may have a high 
tion. degree of confidence that the document has been unchanged 
In a public key cryptographic system each parUcipant has 50 ^^om the time it was signed, until the present and further, that 
two related keys. A public key which is publicly available ^hat which the sender "signed" was the same document, 
and a related private key which is not. The public and private Public key encryption software is widely available. For 
keys are duals of each other in the sense that material example. Pretty Good'™ Privacy public key encryption 
encrypted with the public key can only be decrypted using software is available for non-commercial use over the Inter- 
the private key. Material encrypted with the private key, on 55 net in a form published by Phillip Zimmerman. One version, 
the other hand, can be decrypted only using the public key. is PGP version 2.6.2 of Oct. 11, 1994. It is available from the 
The keys utilized in public key cryptographic systems are Massachusetts Institute of Technology at net-dis.rait.adu, a 
such that knowledge of the public key docs not help deduce controlled FTP site that has restrictions and limitations to 
the corresponding private key. The public key can be pub- comply with export control requirements. Software resides 
lishcd and widely disseminated across a communications 60 in the directory /pub/PGP. A fully licensed version of PGP 
network or otherwise and material can be sent in privacy to for commercial use in the U.S.A. and Canada is available 
a recipient by encoding the material with the recipient's through ViaCrypt in Phoenix, Ariz, 
public key. Only the recipient can decrypt material Some public key encryption systems utilize a single key 
encrypted with the recipient's public key. Not even the encryption of the body of the text with the key changing 
originator who does the encryption using the recipient's 65 from session to session. The session key is encrypted 
public key is able to decrypt that which he himself has utilizing the recipient's public key so that the encryption and 
encrypted. decryption times are shorter. 
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The Federal Data Encryption Standard (DES) is one 
available forai of single key encryption system. 

No data security system is impenetrable. In any data 
security system, one must question whether the information 
protected is more valuable to an attacker than the cost of the 
attack. Ihiblickey encryption systems are most vulnerable if 
the public keys are tampered with. 

An example will illustrate the problem. Suppose an origi- 
nator wishes to send a private message to a recipient. The 
originator could download the recipient's public key certifi- 
cate from an electronic bulletin board system and then 
encrypt the letter to the recipient with that public key and 
send it to him over an E-mail facility such as Internet. 
Unfortunately, an interloper could generate a public key of 
his own with the recipient's user ID attached to it and 
substitute the phony pubUc key in place of the recipient's 
real pubUc key. If the originator unwittingly uses a phony 
key belonging to the interloper instead of to the intended 
recipient, everything would look normal because the phony 
key has the recipient's user ID. Now the interloper is in a 
position to decipher the message intended for the recipient 
because the interloper has the related private key. The 
interloper may even go so far as to reencrypt the deciphered 
message vnth the recipient's real public key and send it on 
to the recipient so that no one suspects any wrongdoing. 
Worse yet, the interloper can make apparently good signa- 
tures on behalf of the recipient tjsing the private key because 
everyone will believe the phony public key is authentic and 
wiU utilize it to check the recipient's signatures. 

To prevent this from happening, requires preventing 
someone from tampering with public keys. If one obtained 
the recipient's public key directly from the recipient, there 
is no doubt about the authenticity of the public key. 
However, where the public key is acquired from a source of 
uncertain reliability, there may still be a problem. One way 
to obtain the recipient's public key would be to obtain it 
from a trusted third party who knows be has a good copy of 
the recipient's public key. A trusted third party could sign the 
recipient's public key, utilizing the trusted third party's 
private key, thus vouching for the integrity of the recipient's 
public key. However, to be sure that the third party's public 
key is authentic, requires that the sender have a known good 
copy of the third party's public key with which to check his 
signature. A widely trusted third party could specialize in 
providing a service of vouching for the public keys of other 
parties. This trusted third party could be regarded as a key 
server or as a certifying authority. Any public key certificates 
bearing the certifying authority's signature would be tmsted 
as truly belonging to whom they appear to belong to. Users 
who desire to participate would need a known good copy of 
the certifying authority's public key so that the certifying 
authority's signatures could be verified. 

Public key encryption systems are also subject to a 
vulnerability involving the use of bogus time stamps, A user 
may alter the date and lime setting of the user's systems 
clock and generate either public key certificates or signa- 
tures that appear to have been created at a different time. He 
can make it appear that a document was signed earlier or 
later than it was actually signed or that the public's secret 
key pair was created earlier or later. This may have some 
type of benefit, for example, by creating circumstances 
which might allow him to repudiate a signature. In situations 
where it is critical that a signature have the actual correct 
date and time, an electronic equivalent of a notary can be 
utilized. An electronic notary would apply the notary's 
electronic signature to other people's electronic signatures, 
thus witnessing the date and time of the signed document. A 
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notary could actually maintain a log of detached signature 
certificates and make it available for public access. The 
notary's signature would have a trusted time stamp which 
might carry more credibility than a time stamp on the 
s original signature alone. 

In most open network architectures, security is an ad hoc 
thing. Individual stations having access to the network may 
or may not choose to utilize encryption in their transmis- 
sions. If they do so, they alone are responsible for ensuring 
10 thai they have properly authentic keys of the person with 
whom they are communicating. Some efforts have been 
made to standardize security procedures for such a network. 
For example, the current state of the development for secure 
systems across the Internet is found in the Network Working 
Group Request For Comments No. 1421, dated February 
1993 (RFC 1421). This document addresses proposals for 
privacy enhancement for Internet electronic mail, namely, 
message encryption and authentication procedures. That 
document is incorporated in its entirety by reference into this 
application. 

A second proposal, Network Working Group Request For 
Comments No. 1422, also dated February 1993, addresses 
privacy enhancement for Internet electronic mail and par- 
ticularly addresses certificate-based key management. This 
document is also incorporated by reference into this appli- 
cation in its entirely. 

These proposals incorporate concepts utilized in the 
X.400 Message Handling System model of CCITT Recom- 
mendation X,400, the directory system Recommendation 
X.500 and the CCITT 1988 Recommendation X.509 
directed to an authentication framework. 

As advances in technology permit continued increases in 
the degree of miniaturization of electronic components, 
smart cards'bav e-be endevelo ped-whi ch-inc lude^a-proccssor 
and/or-memory-built:into:a^transport-medium the-size:ofra 
typicalzcreditrcant Tbeipn3'cfciss5rs^in^these~cards~canlbe 
programmed-lik e-any-ot ber-coinputer-to-pcrform-desired 
functions? Smart card readers are known which permit one 
to both read the contents of a smart card, but also to interact 
with the smart card to change its contents and to accomplish 
cooperative functions which can range from the simple to 
the sophisticated. 

A number of applications of smart card technology have 
been proposed. However, only relatively few have been 
actually implemented and those that have, have been limited 
mainly to a single subject matter dornain. 

Autoinaticteller machine banking is welHcnown in the arP 
by wWch one accesses a bank through Ihe use^ofra 

b ank card - or-^a creditf card and a perso nal identification 
number (PIN). Many: accbunl functioris can-be performed 
using" Al'M's; however, "Imany cannot. Further" tl^^re -is 
i nconvenience a.c grtfi'ai^pH- witl^ p hy sically travellipg to-a 
nearby ATMlnachihe ih order to obtain banking services^ 

Some-baiil« provide^^oivli 
informationrwluch might Jbe^^accessible from a user's .per- 
sonal~cpmputcr,7 biU:Jhes^^ not permit -many 

important and desirablezaccouat functionsv^such as cash^ 
withdrawals^ 

Credit cards are also well known in the art. A credit card 
issuer provides a line of credit to a card holder, typically, and 
the card holder draws on that line of credit to make pur- 
chases from merchants who accept the card. The merchants 
can obtain cash value from the credit card issuer almost 
immediately at the cost of a service fee or percentage. 

There have been proposals for the creation and use of 
electronic money. However, wide spread usage of the pro- 
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posals has not been achieved, perhaps because of the com- 
plexities associated with utilizing the technology and 
because of the capital investment required to equip com- 
mercial establishments with terminals which can accept and 

process electronic money. _ 5 

<0ne"Of-the:prpblems:witlrtfierprior art proposaLs is iliaP 
thcy^arc'directedTonlyJ^o^fi^^ 

v^ietjColTttie^.other rypes of services which might -be> 
performe^oyer^nopennctw^ not> 
addfessI sccureTTtransactions utili zi np , - HTPTP rHvpertex t 
Tfansfer "Proto col)~and they do~not~ addTess ^n rograni^ 
progranTco mmunicationsr> 

Another problem with the prior art identified above is that 
for the most part these represent recommendations and 
proposals and do not represent actual implementations of 
systems for carrying out secure transactions. 

Another problem with the prior art is that there is no 
consistent application programming interface usable in all 
types of environments where secured transactions are 
needed. 

Another problem with the prior art is that there is no 
consistent public key infrastructure which can actually and 
automatically provide the certifications required for a public 
key system. 

Another problem with the prior art is that there is no 
arrangement of certifying authorities which can cross policy 
certifying authority boundaries in pursuit of a global autho- 
rization system which will permit secure transactions to be 
undertaken world wide transparently. 

Another problem of the prior art is that there is no way for 
permitting secure transactions to cross organizational 
boundaries in a way that is convenient and transparent. 

Another problem with the prior art resides in the fact that 
there is no suitable over all system disclosed which permits 
the conduct of generalized world wide electronic commerce. 

DISCLOSURE OF THE INVENTION 



The^inven UonTdisclose d'he^ u 
ot'electronic-payments^-inclt Tding-creditcardlnumb^^^ ^ 
the::transfeEo01ectronic.cash across-an-open-netwdrlTin^ 

secure and rcliablc-manner. 

^ ^ 

The invention also permits the handling of various stock 
transactions, including tenders, in a secure fashion over an 
open network. 

The invention disclosed herein has as a purpose the 
application of smart token technologies to the above endeav- 
ors in a practical and highly secure way. 

Another advantage of the invention lies in the ability to 
use smart cards with integrated circuit chips or PCMCIA 
cards as smart tokens, 
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The^invention disclosed hereirTutilizes sm ait' token tcch- 
noloffles-aiid a-pub licrkeyci ntrastnicture::to~permit~worig 
wideTelectronic commerciaHransactiQns-to-bejmplemente^ ^ 
i a^a'highlv-secure-mahnerover-anopennetworK 

The disclosed invention also permits network users to rely 
on information placed on home pages or on other servers as 
authentic. 

The invention disclosed herein also permits a user to 
search via either a white pages or yellow pages server for 
selected information in order to locate the servers on which 
such information might be found. 

The invention disclosed herein also permits ordering of 
goods and services in a secure manner over an unsccurc 
network. 

The invention disclosed herein also permits the payment 
for goods and services to be transmitted across an open 
network without fear of diversion to an unauthorized payee. 

The invention also permits the delivery of intangible 
personal property and various electronic products in a secure 
fashion over a network. 

The invention disclosed herein also permits the negotia- 
tion and formation of contracts in a secure manner over an 
open network. 

The invention disclosed herein also permits conduct of 
auctions over an open network in a practical, reliable and 
trustworthy manner. 

The invention disclosed herein also permits the execution 
of guarantees in a tmstworthy and reliable manner over an 
open network. 
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Anotheradvanta^e-Qf-lhe-inventionis-that-allapplication^ 
level~procedurcs-can-be-implemented:utihzing"a~commQn 
s tapdard^application:prDgramming:interfacc . 

Another advantage of the invention Ues in a software 
architecture particularly s uited for use with smart to kens. 

Anoth^i^advantage;;ofithe:inven^ 
hardwarelrchit ecture w h ich enables s mart token jedinology 
to':b'eJutiliz6d"incxpensively-and-as^n add oiMo^^isting 
c omputersystems p 

Another advantage of the invention lies in the use of a 
smart token which handles identification and credentials, 
creates and verifies digital signatures, supports key and 
access management, and the fanctions of an electronic 
wallet or an electronic safe. 

One principal advantage of the invention is the ability to 
utilize smart tokens to undertake secure financial and other 
electronic transactions over a publicly accessible networks. . 

Another:adS^ta p^fItheribve ntiop-resides in-au^ ? 
^and^contfolled-access^to-networ&pplicaUons 
smarnoken. 

Another advantage of the invention resides in the creation 
and processing of electronic cash which can be securely 
transferred across a network or which can be used locally 
with the same degree of convenience as currency and 
coinage. 

Another advantage of the invention is the integration of 
smart token technology with a public key infrastructure to 
facilitate secure electronic transactions over an unsecure 
network. 

One advantage provided by the invention is that of 
providing a pubhc key infrastructure which will support 
global secure transactions across organizational, political 
and policy certifying authority boundaries. 

Another advantage of the invention lies in providing a 
c'onsistent-a^pplication^progranaming^^ can be 

utilized in all types of transactions for ensuring security and 
authenticity of the certified products. 

Anothe rCadyanlag e of-the i nven t ion-rcsides-in t herability 
tg^piovidelke^jnanagemen^^ 
manner andj:in:a:manneriwhich- protects- publ^^^^ 
t^mp^ring? 

Anothcr~advanta ge::ofltbe:invcntion-is-the- provisio n2pf3' 
trusted third^aKy^~ and notary-servicesr— , 

Another advantage of the invention is the provision of 
privacy and authenticity in the transmission of information 
by way of a consistent and easy to use interface. 

Another advantage of the invention is the provision of a 
certificate-based public key system in which certificates are 
readily available and verifiable. 

Another advantage of the invention is to provide a system 
where certificates are readily accessible and verifiable. 
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These and other advantages and objects of the invention simply by way of illustration of the best mode contemplated 

are achieved by providing a network for the conduct of of carrying out the invention. As will be realized, the 

electronic commercial transactions which uses public key invention is capable of other and different embodiments, and 

cryptography. The network include a plurality of user tcr- its several details arc capable of modifications in various 
minals connected to the network, at least some of which are 5 obvious respects, all without departing from the invention, 

equipped with the ability to read and/or write smart tokens Accordingly, the drawing and description are to be regarded 
containing cryptographic keys. A^pluralitynDf-serverszarid^ as illustrative in nature, and not as restrictive. 
ono>rrmorcIsecurity3OT 

n^tworfe The security server certifies th^^Uc'keys of BRIEF DESCRIPTION OF DRAWINGS 

u^sers registered to engage in commercial transactions or the lo ^ ^ representation of a network, such as the 

public keys of other security servers. Hie network is j^j^.^^t^ ^^^^^ ^ equipped for world wide electronic com- 

arranged so that encryption keys from a smart token may be merce 

authenticated by one or more security servers and used to ,.t^\, - ... ^ ■ ^ r 

ensure the origin and authenticity of electronic transactions ^ depiction of typical software architecture for 

J . , . .J * • 1 J , a world wide web server, 

conducted using said user terminals and servers. 15 

, . r Inzone-embodiment-thezserversZare^^ FIG 3 is an illustration of a computer incorporatm^ 

V^^^/.^ \ Iservers and the user terminals run web browser software" ^^^^^'^ ^^^^^^^ ^^^^^^ '^^^"^ 

9^^^^ such as Mosaic. The security servers link all registered users ^^^^ sottware. 

into a public key infrastructure. Information about the con- FIG. 4 is a block diagram of an exemplary hardware 
tents of servers may be obtained using an indexing system. ^0 architecture of the computer of FIG. 3. 

The indexing system may be a white pages directory, a FIG. 5 illustrates the software architecture of a typical 

yellow pages directory or the indexing system may be client shown in FIG. 1. 

generated by a webcrawler. FIG. 6 is a flow chart of a registration and certification 

The invention is also directed to a method of conducting process followed by users of the world wide electronic 

electronic commerce over an unsecured network by authen- commerce system. 

ticating (as to its origin) information placed on at least one FIG. 7 is a flow chart of a process for loading authentic 

server of the network, accessing the information, ordering a information into a server. 

product or services after accessing said information by pj^. 8 is a flow chart of a process for searching for desired 

sending an electromc message and authenticating said elec- information using index information generated by a web- 

tronic message as to origm. Ordermg of a product or service crawler 

may include an electronic payment. ^ rrr- a- a u ^ c c u r^ j 

. . . ^ : ^ . FIG. 9 IS a now chart of a process for searchmg for desired 

, rf..^J . Autfaenucating-informaagn^^a^^ information using index information found in a white/yellow 

C€rt^^l<^^* mcludes^denyingjjccesslto.a userTogged.on pages directory 

0'V*pf*^ editing functionaUtyJeadent:dTrsaid"server uidess-inf - r, , ^ r t ■ 

0 ,ti^reS^cdzfrom-saidZuserrdec^^^ ^ ^^^^ ^ P^°^^^ P^^^^^S 

authorized:pblicke3Lstofed"on:^ PIG. U is a flow chart of a Wnte_Check process, 

an electronic message as to origin may involve validating a FIG. 12 is a flow chart of a Make_Deposit process, 

public key of a public key encryption pair of a user origi- piG. 13 is a representation of an electronic credit card 

nating a message by using digital signatures of one or more transaction. 

certification authorities. Public keys stored on said server are pj^ 14 ^ exemplary layout of a Credit_Card domain. 

validated using a public key in frastmcture. Information on cTi^ i«* « u ^ e r> ^-^ ^ xi ■ 

. b f , . , , . ,. „ FIG. 15 IS a flow chart of a Credit Card Main process, 

application servers may be indexed in a white or yellow ^ , . „ , ^ » , , „ 

pages directory system, may be accessed by a webcrawler or ^ ^ ^^^"^ ^ Make_CC_Purchase process, 

may be discovered by an intelligent agent. PIG. 17 is a flow chart of a Make_CC„Payment process. 

The invention is also directed to a method of conducting FIG. 18 is a flow chart of a Receive_CC_Credit process, 

electronic commerce over an unsecured network by regis- FIG. 19 is a representation of an exemplary layout for an 

tcring users in a public key infrastructure system and ccrti- electronic cash domain. 

fying one or more public keys for each user and by authen- FIG. 20 is a flow chart of a Get_Cash process. 

ticating electronic transactions using a certified public key. 50 FIG. 21 is a flow chart of a Pay_Cash process. 

In this way, the binding between a public key and a user can pj^ 22 is a flow chart of negotiation and entry into a 

be authenticated. This method has applicability to a number contract in accordance with the invention. 

of business transactions such as in authenticating offers, ^i/^ • a u r *• • j 

. , . .. . ... FIG. 23 IS a flow chart ofan auction process in accordance 

counteroffers and acceptance m a contract negotiations -.u .u • *• 

*u tv u'j J* c <• with the invention, 

process; authenticating offers, bids and/or confirmations of 55 ^ . « . ^ , ... 

sale in an auction process; authenticating a guarantee; FIG. 24 is a flow chart of a process by which a guarantee 

authenticating orders and/or payments in a purchase/sell '^"^ negotiated and issued, 

transaction; authenticating transfers of intangible personal PIG. 25 illustrates a process for conducting a stock sale 

property; authenticating tender offers and/or one or more ^^ing an escrow agent over an electronic network, 

tenders of shares of stock; authenticating certificates of FIG. 26 illustrates a process of conducting a cash tender 

insiu-ance; authenticating transfers of intangibles related to offer over an electronic network. 

an escrow transaction and authenticating transfers of elec- FIG. 27 fllustrates a process by which the authenticity of 

tronic money. information on a server can be guaranteed in accordance 

Still other objects and advantages of the present invention with the invention, 
will become readily apparent to those skilled in the art from 65 FIG. 28 is a flow chart of the process by which authentic 

the following detailed description, wherein only the pre- information can be guaranteed on a server in accordance 

ferred embodiment of the invention is shown and described, with the invention. 
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conforms to ISO 7816 built into a housing fit for desk top other part of Layer 4 represents world wide web Mosaic 

use. It has a standard 9 -PIN serial interface cable, an AC Software or equivalent. Thus the application layer can 

adaptor, user's manual and software libraries on floppy disk, invoke either Mosaic software or the API directly and the 

It connects to a computer via a standard RS 232 serial port. Mosaic software can invoke the API functionality as well. 
It may function in the MS DOS, MS windows, and Unix S piG. 6 is a flow chart of registration and certification 

environments. Within those environments, the reader may process followed by users of the disclosed world wide 

handle a variety of diflferent smart cards. The reader cat] electronic commerce system. 

accommodate new card types as they become available by Th^pro^^^s^^tZSm^d^^ ^ 

providmg additional libraries. crrtlSSoSlhSmy^^^^ 

Typical cards, suitable for use with the invention, which lO registratioEl^tbT :^li^^:^if^5i:iith"ont^^ ^ P 
can be accommodated by the Quick Link card reader ™ • ^ — : . TTT c * - " 

included the Schlunibergei- ME 2000 card, the Gem Plus ^^ae^eA^mvest^yesJ^ 

lijir^r^f- -jr -i o- c^w i^ a a c -i r j apphcation in accordance With" the-PCA s policies- (610) rlf> 

MCOS card family, and the Siemens SLE 44 family of cards, — — ;^>^>tnv=^t. — - / 

. . ^ disappTpved7ia„reject„message_is^sent„(o20)„whereas jf , 

The Quick Link is also available m an OEM version for ap-pr6\^d:(615):th'^:5^pi^ ^ 
mtegration into other systems in a built-in form. A number ^5 Applicanti(625)ra-ne\CenUty:is^^ 

of different card acceptors (170 m HG. 1), which may be d,ata'baseaFd th^eMdZNewZCA/U ser process isperformed 

either passive, semi-active or active, are avaflable for use asjsetjgitt^^ 

the ACK. jjQl already acquired the software, the A]^licant acquires 

An aUemative embodiment of the invention would utilize Public Key Infrastructure (PKI) and smart token software 

a PCMCIA card and PCMCIA card reader in lieu of the and instaUs it on his system (630) and acquires a smart 

smart card technology just described. token. ApplicantTthenriopjon.toithe s ystem'usin g thc smart 

FIG. 5 illustrates a software architecture of a typical client tokens TTie logon process may use any of the techniques 

shown in FIG. 1. Smart card reader 550 and smart card 560 described in the Smart Token application refened to above, 

arc shown to illustrate the relationship to the layers of the Using:theTsoftware~thcrApplicantperfom 

software architecture. In the software layer closest to the Rgq^est p rocess~(discusscd hereinafter 635), self signs the 

hardware, namely layer 1, a plurality of drivers for different certificate and sends it to the certifying authority. rlf_the> ^ 

kinds of smart card readers are shown. Preferably, drivers for certificHK^failsr^ertain~edit:checks:{6'4^ /o^i 

each of the major manufacturers of smart card readers are SignaturelReject^me^ageTisTprepared 0 

installed and the driver for the particular smart card reader canU>The Applicant may then again modify the request and 

in use is selected for handling the interface to the smart card submit it as previously indicated at block 635. If the cer- 

reader. tificate is accepted (640-Y), the CA verifies the authenticity 

Layer 2 illustrates automatic^driver-select-software^ of the request, signs the certificate and performs 

which, although optional, permits automatic selection of a Certificatc_SignAtjire_Reply„(650^ 
driver from layer 1 which is compatible with a smart card 35 re^iv es^^rh? ^ce rtiflcate~contai ned-"in-the"Gertific^ 

reader 550 installed in the system. TypicaUy, this selection Sign a ture—Re ply -mess age — AppIicant==p6Tforms~tfac:::^ 

can be made by sequentially activating drivers in an Receive — Gertificate- pr ocess -(655):and:the:registratiQn:and:v 

interrogation/response mode to see which driver is compat- certification-process-is corapletc.--^ 

ible with smart card reader 550 or, alternatively, by checking FIG. 7 is flow chart of a process for loading authentic 

a configuration file, either generated automatically when the 40 information into a server. A user logs on (700) to a server, 

computer boots or generated manually as equipment is The-user logs on- (710) to the edit^subsystem usingl^trang ^ 
installed, which is permanently stored. Thus, <aut6matic^ a tithcntication~pTotoa3r rsuchTas:that"set'f6^ 

driver:selectidn:software:of:layer:2:has7a:nu"mbe^ TokeniappUcationireferreaitorabbve):^^ strong authenti- 

mechanisms:which"can:be:utiUze cation protocol utilizes a public key certificate for validation 

for:interfacing:smaftxOT:feader:550iviriih:rem of the identity of the station logging on and thus the attempt 

system? to logon to the edit subsystem results in a vahdation of the 

- Lay,er-3 -represents- an- operating- system .^ Hardw are:scr3 logon attempt against the stored public key of the authorized 

vicesIafOormally-provided-tbrough calls4o4h^^er^ user for that application server (720). If the public key test 

system:and:the:drivers:ar e written to be com patible:witl^ passes (720-P) the information contained in the home page 
■■e feratin g:system:iirusfe. 50 may be edited by addition, deletion or change (730). If the 

Iiayeri4:is:a:standardi2ed:application:programming:intcr> ^^gon attempt does not pass the public key check (720-F), 

face:(API):whlch:pennits"tHerapplicaU logon to the edit subsystem is not permitted and no change 

a cgnsisterit:interface:regardless^f c niay be made to the information. Typically, a user's public 

snwt:card.technology:(including sin^ key would be stored in the server at the dme the account was 
smart:card:560)xThusr applications can-be developed with^ SS set up for the application server and would be accessible for 
gut-regard~to~the:underlyingihardware-and~thcrefore-be :> checking by the system. Of course, a strongcauthentication-^ 
t ransponable from system:io:system:because of the standard-^ protocolzcouWzb'e^utilized^forra-scrverraccessiasiwclbas^ 

a pplication- program ming-interf ace. -^Tlicrapplication^pro^ access:t0-the.edjt-subsystemn5 

grammmg:mterrace-illustratedL^t:iayeri4:inclUde^^ FIG. 8 is a flow chart of a process for searching for desired 

ccrtain:prmitiy!^d6signcd:|o™ information using index information generated by a web 

cardTeaders directly-butTagpegalions of'tKose^ crawler. A web crawler is a process which runs on a 

weU~to:perform:standard higher lever.functionsr^Th appli- computer which systematically searches out and indexes 

cation programming interface preferably includes the appli- (800) the content of servers constituting the universe of web 

cation programming interfaces disclosed in the Infrastruc- sites. It is an ongoing process which associates at least the 
ture application and in the Smart Token application, both 65 name of the server and the titles of documents found there, 

referred to above. Thus, both Smart Token and security Typically, individual words (except for noise words) of a 

functions may be invoked directly and conveniently. The document title are placed in an inverted index to enable one 
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to find all documents which contain a particular word or 
combination of words. To use a web crawler index, a user 
logs on to the index server (810) and submits a search query 
(820). The query runs against the index (830) and hits are 
listed to the user (840), The user selects sequentially, hits of 
interest, and logs on to the server and home page where the 
indexed item is located, preferably by activating a hypertext 
link in the usual manner (850). The user then browses the 
home page for product/service information and optionally 
downloads an order form. 

FIG. 9 is a flow chart of a process for searching for desired 
information using index information found in a white/yellow 
pages directory. A user desiring listing on a white pages or 
yellow pages server sends a message requesting addition to 
the server with the appropriate information in a publicly 
known format (900). Assuming the format is correct, the 
user information is indexed and a confinnation reply mes- 
sage sent to the user (910). A different user searching to 
obtain information on products, services or on the other user, 
sends a request to the white/yellow pages server with query 
information and receives a list of index entries satisfying the 
query (920). The user selects the hits of interest and logs on 
to the server and home page listed in the index for the hit of 
interest, preferably using a hypertext link (930). Once 
logged on to the indicated server, the user browses the home 
page for product/service information and optionally down- 
loads an order form (940). 

FIG. 10 is a flow chart of a process for placing an order. 
The user logs on to a desired home page server identified in 
the manner described above (1000) and browses to the 
extent needed to select a product or service to order (1010). 
The user obtains an order form by either downloading it or 
by activating an order indication on the home page (1020) 
and fills out the order form with the needed information 
(1040). Optionally, payment may be included using one of 
the methodologies discussed hereinafter (1050). The user 
digitally .signs the order form and sends it to the server or 
directly to the vendor as specified in information contained 
on the server (1060). 

FIG. 11 is a flow chart of a Write __Chcck process. The 
process starts (1100) with display of an electronic check 
form with bank and check number filled in (1110). The user 
fills in the amount and the payee (1120) applies a digital 
signature (1130). The electronically signed check is trans- 
ferred to a payee's computer using e-mail or some other 
form of communications (1140), and a copy of the signed 
check is stored in the issued checks area (1150) of the 
domain of the smart token and the process ends. 

FIG. 12 is a flow chart of an electronic Make_Deposit 
process. The process begins at 1200 and the checking 
domain of a smart token is opened (1205). The function 
Make_Deposit is selected (1210), and the checks from the 
received checks area of the domain area are retrieved (1215) 
and listed on an electronic deposit slip (1220). If cash is to 
be deposited, the Open_Domain process is invoked with 
respect to the cash domain (1225) of the smart token and 
cash is retrieved for deposit, if any, and listed on the deposit 
slip. All items for deposit arc totalled (1230) and the deposit 
slip is signed using a digital signature (1235). If the bank 
issues a separate receipt for the deposit, that receipt is 
received and stored in receipt area of the checking domain 
and the account balance credited with the amount of the 
deposit (1245). A copy of the deposit is conveniently stored 
in the deposit area of the domain (1250) for later reference 
in reconciling the account or for analysis. If the bank's 
methodology is to return a signed copy of the deposit as an 
indication of receipt, steps 1245 and 1250 may be combined 
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and the signed copy of the deposit stored in the deposit area 
of domain and the process ends. 

FIG. 13 is a flow chart of a credit card transaction. In a 
normal cash transaction, the purchaser gives cash to the 

5 seller in exchange for goods and a receipt. A credit card 
transaction is similar in that the seller (1300) provides goods 
and a receipt, but payment is made through the intermediary 
of a bank (1310) and a credit card company (1320). The 
purchaser and the credit card company have a relationship 

10 by which the credit card company extends a line of credit to 
the purchaser. When the purchaser wishes to make a pur- 
chase using the credit card, the purchaser essentially prom- 
ises to pay the credit card company the amount of the 
invoice, albeit at a later time. The seller, on the other hand, 

15 desires immediate cash. The seller exchanges the credit card 
slip for the face amount less a service fee. Thus, the seller 
gets immediate cash while the purchaser is not required to 
pay immediately, but nevertheless receives the goods at the 
time of the transaction. 

FIG. 14 is an exemplary layout of a Credit_Card domain 
of a smart token. 

Block 1400 contains identifying infonnation about the 
credit card company, the account name and number, the 
credit limit and the account balance. Area 1410 represents a 

^ list of purchases in corresponding amounts. Item 1420 
contains a list of payments made to the credit card company 
on account. Item 1430 represents a list of returns or credits 
resulting from undoing all or part of a sale either by 
returning goods purchased or by rejecting services provided. 
Item 1440 is an area for storing receipts from the seller for 
later use. Item 1450 contains a list of the names of functions 
or processes utilized in conjunction with this domain. 
FIG. 15 is a flow chart of a Credit_Card_Main routine 

2 J which permits selection of one of several credit card func- 
tions and requires no further comment. 

FIG. 16 is a flow chart of a Make__Purchasc process using 
a credit card domain of a smart token. The process begins 
(1600) and an electronic charge sUp with issuer and account 
name/number fiUed in is displayed (1610). The user fills in 
the electronic ID of the seller and the amount (1620) and 
applies a digital signature (1630). The electronic charge slip 
is transferred to the seller's computer (1640) and a copy is 
stored in the purchase area (1650). An electronic receipt, 

45 electronically signed by the seller is returned, optionally, and 
is stored in the receipt area of the domain. The account 
unpaid balance is then increased by the amount of the 
purchase (1670) and the process ends. 

FIG. 17 is a flow chart of a Make_CC_Payment process 

50 using a credit card domain of a smart token. The process 
begins (1700) and the checking domain is opened (1710) 
and the function Write_Check (1720) is selected. Since the 
credit card domain is open as well as the checking domain, 
the payee information may be read from the credit card 

55 domain and filled in into the payee location in the check 
form in the checking domain (1730). The check is signed 
with a digital signature (1740) and the electronic check 
together with any return credits are transferred to issuer's 
computer (1750) and a copy is stored in the payments area 

60 of the credit card domain (1760). The account balances in 
checking and credit card domains are adjusted by the 
amount of the payment (1770) and the process ends. 

FIG. 18 is a flow chart of a Receive_CC_Credit process. 
The process begins (1800) and a copy of a stored receipt 

65 from the credit card domain is transferred to a seller's 
computer (1805). The type of refund to be received is 
determined (1810) and one of three branches of the process 
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is taken depending on whether the return is cash, credit or vent double spending by requiring merchants to contact a 

check. If it is check, the checking domain is open (1815) and bank's computer with eveiy sale. The bank maintains a data 

the electronic check for the return amount is stored in the base of all the spent pieces of digital cash and can easily 

area of received checks (1820). If the return is by way of indicate to the merchants if a given piece of digital cash is 

credit memo, an electronically signed electronic credit S still spendable. If the cash has already been spent, the 

invoice is received from the seller (1825) and stored in the merchant refuses the sale in a way similar to the way credit 

returns area of the credit domain (1830) and the account cards are currently verified. 

balance for that domain is reduced (1835). If the return There are at least two ways of overcoming the double 

received is electronic cash, and the cash domain is open spending problem with respect to electronic money. One 

(1840) and the cash stored (1895). After the credited amount lO way is to embed a special tamper proof chip into the smart 

is transferred back to the user, the user will receive a signed, card which would detect the attempt and would not permit 

modified receipt from the seller comprising a copy of the the transaction. 

original receipt with the return information appended The other way involves arranging the cryptographic pro - 

(1850). The modified receipt is stored in the receipts area of ^^^^^^ go that if a piece of cash is double spent, the act of 

the domain where the transaction originated (1855) and the 15 ^^^^y^ spending provides enough information that the 

o]d receipt is marked as invalid in view of the modified double spender can be identified. Digital cash systems can 

receipt (1860) and the process ends. accumulate the complete path that the digital cash has made 

Public key encryption enables one to create the electronic through the economy. ITiat is, the particulars of each trans- 
equivalent of money. A customer can go to the bank with a action are appended to the piece of digital cash and travel 
smart token, and, instead of filling out a withdrawal sUp and ^0 ^j^jj moves from person to person. When the cash is 
exchanging it for three one hundred dollar bills, the cus- finally deposited, the baiik will check its data base to see if 
tomcr can create an electronic withdrawal form which he the piece of digital cash was double spent, 
fills out and signs with his secret key. The withdrawal form with off-line anonymous digital cash, if the digital cash 
is transferred to the bank's computer where the bank verifies ^as double spent, the information accumulated along the 
it using the token holder's public key. If, instead of returning 25 ^^^^ accessible by virtue of the double spending, will 
one hundred dollar bills to the token holder, the bank were identify the double spender. In this way, the identity of the 
to take an electronic form by which it promised to pay to the spender is revealed only if the cash is double spent. If the 
bearer one hundred dollars and then sign that electronic ^ash is not double spent, the bank cannot detennine the 
token using the bank's private key, customers and merchants identity of the original spender nor can it reconstruct the path 
could verify the signed money orders using the bank's 30 ^^^j^ through the economy, 
widely published public key. ^ ^j^^^ ^^^^ ^^^^ ^^^^^.^^ properties of dec- 

A one himdred dollar biU is not much different from the tronic money tokens are: 

signed money order referred to in the preceding paragraph. ^ monetary value 

A hundred dollar bill contains indicia of authenticity in the 2 exchangeability' 

form of a counterfeit resistant design and authorized signa- ^ retrievabilit and 

tures. If, instead of a bank, the U.S. Treasury were to issue ' . ' 

electronic certificates signed by the U.S. Treasury's private 4. tamper resistance. . , 

key, these electronic certificates could be transferred from ^^^^ ^^^''""^^^ properUes of electronic monetary tokens 

user to user just like one hundred dollar bills. divisibility, traceability, and the ability to make cash 

„ ^ . , . ^ . 40 purchases m a convenient and easy manner. 

There are two types of diptal cash. One is c^Ued idenU- ^^ju ,^ ^.^^ ^ ^^^^ j^^^^ ^^^^ ^ ^^^^ 

fled digital cash and the other is anonymous digital cash. no one bm the owner can use it, is an important characteristic 

Identified digital cash contains information revealing the r . f *u • 4- a * j l 

. , . - . . of the system of the invention. As suggested above, any 

identity of the person who onemally withdrew the money u fu* » • u j 1 

r /t I t 11 J J- • 1 11 1-1 . number of biometnc measures may be utilized as a key to 

from the bank. Identified digital cash has a disadvantage , *u *u *u / 1 _ 

. . t_i . t , It. ^45 prevent anyone other than the actual owner from openmg 
that, lUce credit cards, it enables the bank to traclc the money 

ssinc a smart token containinc dicital cash. Thus, in 

as It moves through the economy. ^^^^-^^ ^^^1 1^^^^ p^^^^^^ protection, a 

Anonymous digital cash works just like paper cash. Once fingerprint comparison between the person attempting to 

anonymous digital cash is withdrawn from the bank, it can ^^^^ token and one or more stored fingerprints could be 

be spent without leaving a traasacUon trail. Anonymous necessary to access the contents of the token. A retinal scan 

digital cash is created by using numbered bank accounts ^^^^^^^ ^jg^hod that could be used, 

(that is, a bank account with only a number for identification Another convenient feature of smart token digital cash is 

and not the name and address of the owner) and blind ^^^^ ^^^^ pg^pig ^ould and probably would keep back up 

signatures. Blind signatures are discussed in the August, copies of their electronic bank notes, keys and other data. 

1 992 edition of Scientific American at pages 96-101 . 55 t^us, they could recover their funds if their token were lost 

There are two other ways of categorizing digital cash. On or stolen. If stolen, the biometric links that prevent use of the 

line digital cash requires one to interact with the bank via token, and if lost, the back up copy is indistinguishable from 

modem or network to conduct a transaction with a third the original. 

party. Off line digital cash can be transferred to a third party Another characteristic of electronic money is that a vari- 

wilhout direcUy involving a bank. go ety of restrictions and limitations on use can be imposed. For 

Off line, anonymous digital cash is the most complex example, if money were earmarked for educational 

form of digital cash because of the double spending prob- expenses, the identifications of iaslitutions where such 

lem. The double spending problem occurs because elec- money might be spent could be imposed as a restriction on 

tronic monetary certificates can be copied very easily. the spendability of the electronic money. Therefore, a stu- 

Therefore, if one has a one hundred dollar certificate signed 65 dent at Anywhere University could spend the money at the 

by a bank, it could be reproduced one hundred times and bookstore at the university or at the university dining halls, 

spent one hundred times. On-Une digital cash systems pre- but not at pool halls. 
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FIG. 19 is a represenlatioa of an exemplary layout for an 
electronic cash domain. 

Block 1900 contaias domain definition information as in 
the other domains. In this case, the current value field 
contains a summation of all certificates, such as that shown 5 
in FIG. 1910 converted, using conversion values from the 
nationality stated to a desired currency value. 

In the exemplary layout, a certificate includes the issuer 
name and issuer number, typically a bank name and bank 
number or the name and banking identification number of lO 
the national bank of the nation issuing the currency. The 
nationality is specified. The particular certificate illustrated 
in block 1910 is a certificate which can be divided into 
pieces and spent one piece at a time. Thus, the original 
amount might have been a hundred dollar bill which was 15 
issued by some bank and the history section of block 1910 
lists the amount, transferee and data and time of expenditure 
of pieces of the electronic currency spent to date. The 
amount remaining field is therefore a difference between the 
original^m ount the summation of the amount_ sp^nUo_datc. 20 

Block-192 0^provides -an-ar ea-for"Conv enicn t"tracki ng'oP 
cash-expenc3ilures-whicir^ill-remain-after-the-certificate 
listcd:in:1910-is exliMiste(ix>r:transferrcd?^As before, blocks 
1930 contain a list of functions associated with this domain, 
only two of which are shown for exemplary purposes, 25 

namely, Get_Cash and Pay_ Cash. . > 

FlG::20js-a-flow~chart~Qf-apjet~€ ash-T^Eocessr^ 
The process Begins~and~r ChSckmg domain is opened 
(2010), an electronic withdrawal slip is filled out (2020), 
signed electronically (2030) and transferred to the bank 30 
(2040). The bank validates the withdrawal slip signature 
(2050) and prepares an electronic cash certificate which it 
signs electronically (2060) and transfers it to the user's 
token or to the user's computer for transfer to the user's 
token. The user stores the electronic cash certificate from the 35 
bank in the electronic cash domain (block 2010) and updates 
the current value (2070) and t he pr ore.ss-ends. 
nGr2lTisIaIflo^^IiartU6fX^ay^ 
The process begins and Elecironic__Cash domain is 
opened (2110). A rephca certificate of block 2010 of FIG. 20 40 
is prepared for transfer, substituting the amount to be paid as 
the face amount of the certificate being transferred and 
omitting the remaining amount field (2120). The amount, 
transferee and date/time information is entered into the 
history field and in the receipts field (2130). The entry in the 45 
receipts field is temporary pending transfer of a receipt from 
the payee. If no receipt is transferred, the entry becomes 
permanent. The replica certificate as modified is signed and 
transferred to the payee's token or to the payee's computer 
(2140). The payee sends a receipt (optionally) and such 50 
receipt is received and stored in the receipts for cash 
expended block of electronic cash domain of the purchaser's 
token. 

In the way described, the electronic cash domain of the 
smart token can be utilized to perform what is essentially an 55 
electronic wallet function for holding electronic money. 

FIG. 22 is a flow chart of negotiations and entry into a 
contract in accordance with the invention. The offeror pre- 
pares an offer (2200) and applies his digital signature to the 
offer and sends it to the offeree (2210). If the offeree docs not 60 
accept the offer (2220-N) the offeree makes changes to the 
offer (2250), applies his digital signature to the revised offer, 
thereby becoming a counter offeror and sends it to the other 
party, who at this time is now a counter offeree (2210). If the 
counter offeree accepts (2220-y), the counter offeree applies 65 
his digital signature (2230) and a contract results. Because 
of the one-way hash function utilized to create a represen- 



tation of a document (discussed above) to which a digital 
signature is applied, the content to which a particular sig- 
nature applies is always clearly defined. A digital signature 
by the offeror and the offeree or counter offeror and counter 
offeree unambiguously identifies the text to which the par- 
ticular signing party has agreed. A contract results when both 
parties have signed the same text utilizing their secret keys. 
Their signatures can be validated utilizing their correspond- 
ing public keys and the certificates associated with the 
pubUc key infrastructure. 

FIG. 23 is a flow chart of an auction process in accordance 
with the invention. When conducting an auction over a 
network, the auctioneer makes available in advance a 
description of the goods and the terms under which the 
auction will be held, including such items as minimum bid 
(2300). The auctioneer opens the bidding by posting a 
solicitation of bids to a bulletin board or a chat room which 
constitutes an electronic analog to an auction floor (2310), 
Each bidder interested in bidding, composes a bid by includ- 
ing a description of the goods/terms of auction together with 
a bid amount and apphes a digital signature to the composite 
bid (2320) and optionally attaches a public key certificate 
authenticating his bid utilizing the capabilities of the pubhc 
key infrastructure. 

The bidder then posts the composed bid to the BBS or to 
the chat room (2330). As bids are received, the highest bid 
is posted to the BBS or to the chat room (2340). The 
auctioneer notifies participants of the time at which bidding 
will close by a notice to the BBS or the chat room (2350). 
If the time has not expired (2360-N), additional bids may be 
composed by looping back to block 2320. Once the time 
expires (2360-Y) the auctioneer posts the winning bid and 
digitally signs the winning bid together with description and 
tenns (2370). Payment can be escrowed with a trusted third 
party in exchange for delivery (2380) if tangible property is 
involved. Intangible personal property can usually be trans- 
ferred by applying a digital signature to an appropriate 
transfer document in exchange for payment. Similarly, in 
auctions involving property subject to a certificate of title, 
title can be changed by an appropriately signed and authen- 
tic electronic transfer of title, presumably via the tithng 
agency. 

FIG. 24 is a flow chart of a process by which a guarantee 
can be negotiated and issued. An offeror, an offeree and a 
guarantor negotiate the terms of the substantive contract and 
the terms of the guarantee (2400). The offeror and the offeree 
digitally sign the agreed on terms of the contract subject to 
a guarantee and forward the signed contract to the guarantor 
(2410). The guarantor applies his digital signature to the 
signed contract indicating acceptance of the terms of the 
guarantee (2420) and the contract signed by the guarantor is 
sent to the offeror and the offeree. 

Shares of stock in a corporation are generally represented 
by a stock certificate signed by a corporate ofiBcer or officers. 
Such stock certificates are issued in exchange for cash or 
other consideration. When a shareholder desires to sell 
shares of stock, this can be done either through a private sale 
or through someone who makes a market in the shares of 
stock in the corporation. There is no reason why certificates 
of stock cannot be electronic documents signed utilizing the 
secret key of the corporation as an indicator of authenticity. 
Similarly, there is no reason why those shares cannot be 
transferred as intangible personal property by a transfer 
agreement. To prevent fraud or deception, it is common to 
release the cash from a purchaser of stock to the seller of 
stock only when the shares have been properly transferred to 
the purchaser. 
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FIG. 25 illustrates one way of performing such a trans- 
action. Assume that shareholder S is a holder of a stock 
certificate in corporation Y, seller S desires to sell the shares 
of stock to purchaser P in exchange for cash. FIG. 25 
illustrates a sale which settles utilizing an escrow agent 
(2530). Assuming that corporation Y has issued shares of 
stock to seller S in the form of an electronic certificate, seller 
S digitally signs a copy of the stock certificate together with 
an assignment of ownership and tenders it to escrow agent 
2530. The escrow agent also receives a transfer of cash or 
credit from purchaser 2520 to be held subject to the settle- 
ment of the transaction. The escrow agent forwards the 
certificate and assignment to the corporation for issuance of 
a new certificate and when a new certificate is issued in favor 
of the purchaser, the new certificate can be forwarded to the 
purchaser and the purchaser's cash or credit transferred to 
the seller. As set forth above, this cash can be electronic 
cash, a check drawn on a bank, with or without guarantee, 
or cash the escrow agent receives from a credit card com- 
pany drawing against a line of credit in favor of the 
purchaser. 

A stock broker and a market maker essentially perform 
the function of the escrow agent in cases where the seller and 
the purchaser do not know of each other's mutual desire to 
sell and purchase the stock respectively. 

FIG. 26 illustrates a process of conducting a cash tender 
offer over an electronic network. The tender offeror makes 
a tender offer 2610 to all shareholders S„ individual share- 
holders make a determination whether or not to tender their 
shares in accordance with the offer. If they do (2615), they 
either offer to tender their shares or actually tender their 
shares to the agent by either digitally signing the tender offer 
after completing the number of shares to be tendered or by 
transferring a digitally signed copy of their share certificate 
together with assignment language. When the required num- 
ber or percentage of shares have been tendered by 
shareholders, the agent notifies the tender offeror that the 
conditions of the tender offer have been met and the tender 
offeror will fund the tender offer (2630) subject to the 
transfer of shares into tender offeror's name. The certificates 
tendered to the agent are transferred to the corporation 
(2640), each including the appropriate assignment which has 
been digitally signed by the shareholder. The corporation 
then aggregates the shares and issues a new certificate to the 
tender offeror (2650) and submits the share certificate to the 
agent. The agent then is in a position to settle the transaction 
by distributing the cash proceeds to the shareholders who 
tendered their shares and a share certificate to the tender 
offeror, and the transaction is completed. 

The operation of the invention will now be described with 
respect to an example involving an insurance company. In 
FIG. 27, insurance company 2700 maintains a home page on 
world wide web server 2710. The world wide web server and 
the insurance company public key for a pubbc key encryp- 
tion system and are duly registered and certified by certifi- 
cation authorities 2730. Thus, when the insurance company 
logs on to its world wide web server 2710, utilizing a strong 
authentication as set forth in conjunction with the Smart 
Token application, the authenticity of the log on can be 
determined by verifying the public key through the certifi- 
cation hierarchy or matrix to a common point of trust 
namely, the highest certification authority (CA) shown in 
FIG. 27. Since the public key certificates for the world wide 
web server and for the insurance company both contain that 
highest certification authority public key, the authenticity of 
signatures by the lower level certification authorities and 
ultimately the public keys of the insurance company and the 
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world wide web server can be determined to be genuine. 
Thus, the server and the insurance company can be assured 
thai the party at the other end is who they purport to be. 
Server 2710 can therefore permit the insurance company to 

S log on to the edit system and make changes to the informa- 
tion on the server and vouch for authenticity of the infor- 
mation to its clients by virtue of the public key certification 
matrix. Thxis, the information on the world wide web server 
can be considered authentic. 

10 The insurance company, in addition, may wish to make 
itseff available to a public audience by registering with 
either a white pages or a yellow pages server such as 2720. 
Alternatively, the insurance company's home page on the 
world wide web server can be indexed by a web crawler 

15 which discovers its presence during the course of universal 
indexing of the servers it finds. 

FIG. 28 illustrates the process just described in a some- 
what different format. 

FIG. 29 illustrates a process by which searching and 

20 retrieval of information over the network is accomplished in 
accordance with the invention. The search begins when user 
2920 desires to determine information about insurance. The 
user logs on to an indexing system such as a white pages 
server, a yellow pages server, or a web crawler and submits 

25 a query including, for example, the term "insurance." The 
indexing system retrieves a list of servers and home pages 
for articles on servers in which the term "insurance" appears 
either in the title or in the full text of the information 
indexed. The locations are returned as a list of "hits" which 

30 the user considers to determine whether the server listed is 
an appropriate candidate for further consideration. When a 
good candidate is identified, the user will log on to the server 
identified by the indexing system, preferably through the use 
of a hyper text link and the user views and/or downloads 

35 desired information from the world wide web server 2900. 
If this information does not meet the user's needs, other hits 
may be considered until an appropriate hit is found. 

FIG. 30 illustrates a process by which an order is placed 
in accordance with the invention. When the user finds a 

40 server containing information about a product the user 
wishes to acquire, the user may place the order in any of 
several ways. In one form, the user may engage in an 
interactive dialog with the server until a server has adequate 
information for the order to be processed. Then, the insur- 

45 ance company can retrieve that information from the server 
and process the order. In an alternative, but preferred form 
of the invention, the Mscr retrieves an order form from the 
server which the user then fills out and sends the signed 
order form (offer) to the insurance company, optionally 

50 including payment using any one of the modes described 
herein. If the insurance company is willing to accept the risk, 
it will digitally sign the order form indicating its acceptance 
and, if the policy is to be issued in electronic form, U-ansfer 
a digitally signed insurance policy to the user assuming 

55 appropriate payment or provision for payment has been 
made. 

FIG. 31 describes this process in somewhat more detail. 
FIG. 32 illustrates the relationships between a merchant's 
business application software and other network compo- 

60 ncnts. A vendor's interface to electronic commerce is 
described in some detail above and in the incorporated 
copending applications. The hardware and software archi- 
tecture is described above. In addition to maintaining a home 
page on a web server, an insurance company will likely 

65 maintain its own user access to the Internet and particularly, 
to the world wide web. The user is registered and certified 
by a certification authority 3210, thus placing him at a point 
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in the certification hierarchy or matrix and enabling others to 
confirm the authenticity of his public keys. The insurance 
company can connect to banks to perform the various 
financial transactions described herein and in the incorpo- 
rated applications, and the insurance company can receive 
orders (3240) and issue certificates of insurance (3250) over 
the network. All of this done in a secure and, if desired, 
private manner. Typically these business transactions are 
tracked and monitored using the insurance company's busi- 
ness applications (3230). These business applications might, 
for example, including accounting software for tracking the 
volume of business, applications for tracking losses and for 
tracfa'ng the progress of claim settlements. It might also 
track cash flow and stock transactions of the type described 
herein. It may also maintain records of agents* commissions, 
perform required mass mailings, keep list of policies in 
force, and, of course, perform billing when manual methods 
of billing are used. 

Thus, from the insurance company example, one can see 
that a system has been described which enables electronic 
commerce to be conducted over an otherwise unsecure 
network in which the privacy and authenticity of the trans- 
actions can be maintained against even detenmined attacks 
by hackers using public key encryption. 

In this disclosure, there is shown and described only the 
preferred embodiment of the invention, but, as 
aforementioned, it is to be understood that the invention is 
capable of use in various other combinations and environ- 
ments and is capable of changes or modifications within the 
scope of the inventive concept as expressed herein. 
<Wliat3isrclain ie3-isP^ 

1 . A'^world-wide system/netwof^lTfdrlthe.conductTof elec^ 
troniclcommercial-andlndn^coirimcrciallbusiness-transa^ 
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tions_based -on— a-global_ne twork_^public-15e)Csecurity^ 
inft^structur6,„coniprisingy> 

a^pluraiity3f-user_tenninals connected to the network, at 
least some of said user terminals equipped with the 
ability to read and/or write smart tokens containing one 
or more encryption keys; 

a;pjurayty:of application/information servers connected to 
the network and configured to link to the security 
infrastructure; and 
'^^me^r-more-security-serve^ cormectcd to the network, 
each for certifying the public keys of users registered to 
engage in electronic business transactions or the public 
keys of other security servers, 

wherein encryption keys fetched from said security serv- 
ers arc capable of being authenticated by one or more 
of said user terminals and used to ensure the origin and 
authenticity of electronic commercial transactions con- 
ducted using said user terminals and said application/ 
information servers. 

2. The network of claim 1 wherein said application/ 
information servers are selected from the group consisting of 
world:wkie^web;servers; large capacity video, and document 
or data base servers. 

3. The network of claim 1 wherein said one or more 
security servers link all registered users, companies and 
other participants into a public key infrastructure. 

4. The network of claim 1 wherein user terminals mn welP 
bro wser^f tware -and/or^E^nail^ft^^c . 

5r5^D6twork:ot'claiim"l3whefei"n~information:about:the 
contents^f-said:appUcation/infonnation:scrvers:is-oM 
using-one-of-^an-ind^ing syslemj-electfonic^Jwhite/yeUow::^ 
pages:dir6ctpry,-intelhgcnt::agenls-or„search_and_retri6val^ 
<system7 65 

6. A method of conducting electronic commerce over an 
unsecured network, comprising: 
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registering users in a public key infrasuiicture system by 
providing encrypting information to the users that is 
stored in smart tokens of the users, and certifying one 
or more public keys for each user, the public keys being 
used to decrypt information that has been encrypted by 
the corresponding smart token of said each user; and 

authenticating electronic transactions using certified pub- 
lic keys that are used to decrypt information that has 
been encrypted by the smart tokens, wherein a binding 
between a public key and its owner can be authenti- 
cated; 

whereby authentic and authorized business transactions 
can occur in said unsecured network. 

7. The method of claim 6 wherein the step of authenti- 
cating electronic transactions using a certified public key 
comprises authenticating offers, counteroffers and accep- 
tance in a contract negotiations process. 

8. The method of claim 6 wherein the step of authenti- 
cating electronic transactions using a certified public key 
comprises authenticating offers, bids and/or confirmations of 
sale in an auction process, 

9. The method of claim 6 wherein the step of authenti- 
cating electronic transactions using a certified public key 
comprises authenticating a guarantee. 

10. The method of claim 6 wherein the step of authenti- 
cating electronic transactions using a certified public key 
comprises authenticating orders and/or payments in a 
purchase/sell transaction. 

U. The method of claim 6 wherein the step of authenti- 
cating electronic transactions using a certified public key 
comprises authenticating transfers of intangible personal 
property. 

12. The method of claim 6 wherein the step of authenti- 
cating electronic transactions using a certified public key 
comprises authenticating tender offers and/or one or more 
tenders of shares of stock. 

13. The method of claim 6 wherein the step of authenti- 
cating electronic transactions using a certified public key 
comprises authenticating certificates of insurance. 

14. The method of claim 6 wherein the step of authenti- 
cating electronic transactions using a certified public key 
comprises authenticating transfers of intangibles related to 
an escrow transaction. 

15. The method of claim 6 wherein the step of authenti- 
cating electronic transactions using a certified public key 
comprises authenticating transfers of electronic money. 

16. The method of claim 6 wherein the step of authenti- 
cating electronic transactions using a certified public key 
comprises authenticating transfers of one or more software 
modules. 

17. The method of claim 6 wherein the step of authenti- 
cating electronic transactioas using a certified public key 
comprises authenticating transfers of one or more copy- 
righted documents. 

18. The method of claim 6 wherein the step of authenti- 
cating electronic transactions using a certified public key 
comprises authenticating transfers of one or more licensed 
materials. 

19. A method of conducting electronic commerce over an 
unsecured network, comprising: 

authenticating, as to origin, information placed on at least 
one application/information server of said network; 

accessing said information in an authentic and authorized 
way by outputting information encrypted by a smart 
token that has a private key used for encryption stored 
therein; 

ordering products or services after accessing said infor- 
mation by sending or exchanging electronic messages 
that have been encrypted with said private key; and 
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authenticating said electronic messages as to origin, 
recipient, or trusted third party, 

wherein the step of authenticating said electronic mes- 
sages as to origin includes validating a public key of a 
public key/private key pair of a user originating at least 
one of said electronic ntiessages using digital signatures 
of one or more certification authorities and using the 
public key for validation of the at least one of said 
electronic messages. 

20. The method of claim 19 wherein the step of authen- 
ticating as to origin information placed on at application/ 
information server unless access information received from 
said user decrypts and verifies properly tising an authorized 
public key belonging to the application/information server. 

21. The method of claim 19 wherein all public keys used 
in the protocol are validated using a public key infrastruc- 
ture. 

22. The method of claim 19, further comprising the step 
of indexing said information on an indexing server, which 
may be the same or different from said application/ 
information server. 

23. The method of claim 19, wherein the step of ordering 
a product or services after accessing said information by 
sending an electronic message further comprises making an 
electronic payment, 

24. The method of claim 19 wherein all information 
received from remote client stations are locally processed 
and coupled with individual data processing applications of 
the services or goods provider. 

25. A world wide system for secure, reliable and autho- 
rized electronic transactions and applications performed 
over computer and data transmission networks, comprising: 

a plurality of network servers and associated data bases 
including application/information servers, indexing 
and searching servers, addressing servers, security 
servers, or Trusted Third Parties servers; 

a plurality of types of multifunctional and multipurpose 
client stations, with user interaction tools, functions and 
interfaces for different types of electronic transactions; 
and 

a plurality of electronic business transactions protocols to 
access servers, to fetch information, data and services 
and to perform a plurality of electronic business trans- 
actions. 

26. The system of claim 25, wherein the system is capable 
of performing ofiScial electronic registration of participants 
containing distinguished names, any other identification 
attributes, addressing and accessibility information, and 
professional information. 

27. The system of claim 25, wherein the system is capable 
of being used for establishment of business and authoriza- 
tion profiles of participants, both companies and individuals, 
required in order to perform specific authorized electronic 
transactions. 

28. The system of claim 25, wherein the system is capable 
of being used for controlled insertion, storage and distribu- 
tion of authentic information about various products and 
services in a form of one or more of multimedia catalogs, 
brochures, sound and video advertising materials, and elec- 
tronic "yellow pages", based on usage of application/ 
documents servers and browsers. 

29. The system of claim 25, wherein the system is capable 
of being used for electronic ordering of goods, products and 
services, for various financial transactions, and for various 
other types of business, commercial and non-commercial 
transactions, all enhanced with security features. 

30. The system of claim 25, wherein the system is capable 
of being xised as support for negotiation and establishment of 
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electronic commerce documents and electronic financial 
transactions enhanced with digital signatures and security 
features. 

31. A method for encoding a smart token for use in 
electronic commerce over an unsecured network, compris- 
ing: 

sending over the unsecured network, by a user at a user 
terminal to a certification server, an application for 
encoding the smart token; 

determining, by the certification server, whether the user 
is authorized to encode the smart token; 

sending, from the certification server to the user terminal, 
information as to whether the user has been authorized 
or disapproved from encoding the smart token; 

if the user has been authorized to obtain the smart token, 
sending information for encoding the smart token from 
the certification server to the user terminal over the 
unsecured network, 

wherein the tiser is capable of conducting electronic 
commerce transactions over the unsecured network 
using the encoded smart token, and 

wherein an application/information server connected on 
the unsecured network is capable of determining 
whether the user is authorized to edit any programs 
stored within the application/information server by 
comparing information encoded with a private key 
from the smart token of the user with information 
stored at the application/information server that corre- 
sponds to public keys of all authorized entities that are 
allowed to edit the programs stored within the 
application/information server. 

32. The method of claim 31 wherein the smart token 
includes encryption keys that are utilized to ensure secure 
and authentic transactions between the user at the user 
terminal and another device connected to the unsecured 
network. 

33. The method of claim 32, further comprising: 
verifying, by sending a request from the another device to 

a security server, whether a public key of the user 
accessing the another device is certified, 
wherein, if the public key of the user is certified, the user 
is authorized to conduct electronic money transactions 
with the another device. 

34. The method of claim 32, wherein the smart token is a 
physical card that is encoded with software received from 
the certification server when the user is authorized, and 

wherein the user is capable of utilizing the smart token to 
provide encoded information sent over the unsecured 
network with the private key of the user, and 

wherein the user is capable of using the smart token as a 
credit card or a debit card for conducting commercial 
transactions at physical locations separate from the 
unsecured network. 

35. A system for conducting electronic commerce trans- 
actions over an unsecured network, comprising: 

at least one user terminal connected to the un.secured 
network, the at least one user terminal configured to 
read and write smart tokens containing at least one 
encryption key stored therein; 

at least one application/information server connected to 
the unsecured network and configured to link to a 
security infrastructure within the unsecured network; 
and 

at least one security server connected to the unsecured 
network and configured to certify public key of users 
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registered to engage in the electronic commerce trans- 
actions over the unsecured network, 
wherein the at least one application/information server 
sends a request for authentication to the at least one 
security server for verification of a particular public key 
received from the at least one user terminal when the at 
least one user terminal desires to conduct a particular 
electronic commerce transaction over the unsecured 
network with the at least one application/information 
server, 

wherein the at least one security server determines 
whether the at least one user terminal has been previ- 
ously registered and certified to conduct the electronic 
commerce transactions and has a valid smart token, and 

wherein the at least one application/information server 
receives information from the at least one security 
server concerning whether the user is authorized and 
allows the particular electronic commerce transaction 
to take place if the user is authorized. 

36. The system of claim 35, wherein the particular elec- 
tronic commerce transaction takes place between the at least 
one user terminal and the at least one application/ 
information server by the at least one user terminal encoding 
data with a private key from the smart token and outputting 
the encoded data to the at least one application/information 
server over the unsecured network, and by the application/ 
information server using a public key of the user obtained 
from the at least one security server to decode the received 
data over the unsecured network to determine what type of 
electronic commerce transaction is desired by the user 

37. A method of conducting electronic commerce over an 
unsecured network, comprising: 

registering a user in a public key infrastructure system by 
obtaining a registration request from the user over the 
unsecured network and determining that the user is 
authorized to conduct electronic commerce over the 
uasecured network; 

sending information for encoding a smart token to the 
user over the unsecured network, the encoded smart 
token to be used by the user to conduct the electronic 
commerce over the unsecured network; 
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requesting a particular electronic commerce u-ansaction 
between the user and an application/information server, 
the request being made over the unsecured network; 

determining, by the application/information server, 
whether the user is authorized to conduct the particular 
electronic commerce transaction by requesting autho- 
rization of the user from a security server; and 

if the user has been determined to be authorized, then 
utilizing, by the application/information server, a cer- 
tified public key of the user to conduct the particular 
electronic commerce transaction between the user and 
the application/information server, 

wherein the user utilizes a private key obtained from the 
smart token to conduct the particular electronic com- 
merce transaction between the user and the application/ 
information server. 

38. A method of conducting electronic commerce over an 
unsecured network, comprising: 

authenticating, as to origin, information received by at 
least one application/information server over the unse- 
cured network, the authenticating being performed by 
determining whether the information received over the 
unsecured network is capable of being decoded using 
an authorized public key of the least one application/ 
information server; 

if the authenticating step determines that the origin Ls not 
an authorized origin, denying access to the at least one 
application/information server by a user that sent the 
information; 

if the authenticating step determines that the origin is an 
authorized origin, allowing access to the at least one 
application/information server to conduct an electronic 
commerce transaction between the origin and the at 
least one application/information server; and 

authenticating electronic messages sent between the ori- 
gin and the least one application/information server 
throughout the conducting of the electronic commerce 
transaction as to source, destination, or trusted third 
party. 
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